Previous Top News: 2017

EPIC Urges Congress to Focus on Consumer Privacy and Data Security in Antitrust HearingIn a statement to the Senate Judiciary committee, EPIC urged lawmakers to consider consumer privacy at a hearing on "The Consumer Welfare Standard in Antitrust." EPIC emphasized the privacy risks of mergers, stating that "when companies merge, they combine not only their products, services, and finances, but also their vast troves of personal data." EPIC reminded Congress that the United States is experiencing an epidemic of data breaches, and large databases of personal data are more vulnerable to attack. EPIC testified before the Senate Judiciary Committee in 2007 about the growing risks to competition and privacy of mergers in the online advertising industry. EPIC also warned the FTC about the consumer privacy risks of high profile mergers. In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. And in 2014 EPIC urged the FTC to mandate privacy safeguards for Facebook's acquisition of WhatsApp. (Dec. 12, 2017)

FAA Drone Registration Requirement Flies AgainA defense authorization bill signed by the President today restores the FAA's drone registration requirement. The registration requirement was struck down by a federal appeals court earlier this year. EPIC supports registration for commercial drones because of the unique privacy risks they pose. In 2015, EPIC submitted extensive comments to the FAA, proposing that commercial drones also routinely broadcast location, course, speed over ground, as well as owner identifying information, similar to the Automated Identification System for commercial vessels. Earlier this year, EPIC also submitted statements to the House Transportation Committee and the Senate Commerce Committee emphasizing the privacy risks of commercial drones. EPIC is currently challenging the FAA's failure to establish privacy safeguards. EPIC v. FAA is before the D.C. Circuit Court of Appeals, with oral arguments scheduled for January 25, 2018. (Dec. 12, 2017)

EPIC Urges House Judiciary to Examine FBI Response to Russian Cyber AttacksEPIC has sent a statement to the House Judiciary Committee ahead of Wednesday's DOJ Oversight hearing. EPIC urged the Committee to question Deputy Attorney General Rosenstein about the FBI's ability to respond to future cyberattacks concerning the 2018 elections. A recent Associated Press investigation found that the FBI, the lead agency for cyber response, did not notify U.S. officials that their email accounts were compromised during the 2016 election. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI, filed earlier this year. EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity). (Dec. 12, 2017)

EPIC Urges Congress to Regulate AI Techniques, Promotes 'Algorithmic Transparency'In advance of a hearing on "Digital Decision-Making: The Building Blocks of Machine Learning and Artificial Intelligence," EPIC warned a Senate committee that many organizations now make decisions based on opaque techniques they don't understand. EPIC told Congress that algorithmic transparency is critical for democratic accountability. In 2015, EPIC launched an international a campaign in support of Algorithmic Transparency. At a speech to UNESCO in 2015, EPIC President Marc Rotenberg called knowledge of the algorithm "a fundamental human right." Earlier this year, EPIC filed a complaint with the FTC that challenged the secret scoring of athletes by Universal Tennis. EPIC said to the FTC that it "seeks to ensure that all rating systems concerning individuals are open, transparent and accountable." (Dec. 12, 2017)

EPIC Urges Supreme Court to Preserve Wiretap Act Suppression RemedyEPIC has filed an amicus brief in Dahda v. United States, a case concerning the federal Wiretap Act and the suppression of evidence obtained following an invalid wiretap order. The Wiretap Act requires exclusion of evidence obtained as a result of an invalid order. However, the lower court denied suppression even though the order was invalid. EPIC wrote that “it is not for the courts to create atextual exceptions” to federal privacy laws. EPIC explained that Congress enacted broad and unambiguous privacy provisions in the Wiretap Act. “If the government wishes a different outcome,” EPIC wrote, “then it should go to Congress to revise the statute.” EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Byrd v. United States (suspicionless searches of rental cars) and Carpenter v. United States (warrantless searches of cellphone location records).] (Dec. 7, 2017)

Presidential Election Commission Suspends Activities?The Presidential Election Commission is ignoring inquiries from state election officials about the transfer of sensitive voter data sought by the Commission, according to the New Hampshire Union-Leader. The Commission previously promised—in a filing from an EPIC lawsuit—that it would tell states how to “securely” submit voter data. But New Hampshire election officials say they have been unable to reach the Commission or obtain instructions for over a month. Other posts at the Commission website suggests the agency is no longer responding to email. EPIC filed suit in July to halt the Commission’s collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC’s initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the voter information that was unlawfully obtained. Many states and over 150 members of Congress have opposed the Commission’s efforts to collect state voter data. EPIC’s case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). (Dec. 7, 2017)

Senators Question Privacy and Safety of Facebook’s "Messenger Kids" AppSenators Edward Markey (D-Mass) and Richard Blumenthal (D-Conn) wrote to Facebook CEO Mark Zuckerberg with questions about Facebook’s Messenger Kids app, aimed at children 6-12. The Senators said, “we remain concerned about where sensitive information collected through this app could end up and for what purpose it could be used.” The Children’s Online Privacy Protection Act specifically limits the collection and use of data on children under the age of 13. Concerns about the misuse of children data remains high. EPIC and several consumer privacy organizations filed a complaint with the FTC in 2016 alleging that the Internet-connected doll Cayla spied on children. EPIC also backed a L6 recent campaign to recall Mattel’s Aristotle, a device that collected data from young children. The campaign led Mattel to cancel the sale of Aristotle. (Dec. 7, 2017)

Federal Student Aid Office Not Protecting Student Privacy, GAO Audit FindsThe Federal Student Aid office (FSA) at the Department of Education is not doing enough to protect student privacy, according to an audit by the Government Accountability Office. The GAO found that FSA has failed to hold schools accountable for their lax data security practices that have resulted in numerous data breaches, and has not assessed the privacy risks for its own electronic records system. FSA collects personal information on students and their families to evaluate schools that receive federal student aid. The FSA claims that the FTC can manage privacy protection. EPIC has done extensive work to protect student privacy including a 2014 complaint to the FTC about a massive data breach that impacted students in Maricopa County. The FTC failed to act even though Maricopa county violated the FTC Safeguards Rule by failing to protect students' financial information. EPIC also urged Congress to strengthen student privacy protections following a FAFSA data breach. In 2012 EPIC sued the Department of Education for weakening student privacy protections. EPIC has proposed a Student Privacy Bill of Rights. (Dec. 6, 2017)

European Privacy Experts Call for New Review of EU-US Data ArrangementThe Article 29 Working Party, a group of European privacy experts, is calling for a reexamination of the Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a new report, the Working Party said that "significant concerns" should be resolved by May 25, 2018 when the GDPR goes into force. If not "the members of WP29 will take appropriate action," including litigation. The Working Party cited the US failure to appoint an Ombudsperson to review complaints, vacancies at the Privacy and Civil Liberties Oversight Board, and continued mass surveillance practices by U.S. intelligence agencies. The report follows an earlier review of the EU-US agreement which found "sufficient" protection of EU personal data to the United States. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in DPC v. Facebook, a case now before the European Court of Justice. In a related development, the Working Party also established a task force which will coordinate national investigations of the Uber data breach now underway in Europe. (Dec. 5, 2017)

EPIC Urges Congress to Examine FBI Response to Russian Cyber AttacksEPIC has sent a statement to the House Judiciary Committee ahead of Thursday's FBI Oversight hearing. EPIC urged the Committee to question FBI Director Wray about the agency's ability to respond to future cyberattacks concerning the 2018 elections. A recent Associated Press investigation found that the FBI, the lead agency for cyber response, did not notify U.S. officials that their email accounts were compromised during the 2016 election. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI, filed earlier this year. EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity). (Dec. 5, 2017)

EPIC Amicus - Ninth Circuit Holds Violation of Video Privacy Law Establishes 'Standing'The Ninth Circuit issued an opinion today that addressed standing — the right to bring a lawsuit — under the Video Privacy Protection Act. The court found that the law protects a "substantive right to privacy that suffers any time a video service provider discloses otherwise private information." The court stated that a "plaintiff need not allege any further harm to have standing." EPIC filed an amicus letter brief in response to the court's request for parties to discuss standing following the Supreme Court decision in Spokeo v. Robbins. EPIC urged the court to recognize that "Congress intended to protect consumers' concrete interests in the confidentiality of their video viewing records." Contrasting with the Spokeo decision concerning the Fair Credit Reporting Act, the federal appeals court agreed that the video privacy law protects a "substantive interest." However, the court found that "personally identifiable information" was not disclosed by ESPN. EPIC has filed amicus briefs defending consumers in several cases after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Nov. 29, 2017)

EPIC FOIA - Rep. Ted Lieu Asks FBI to Explain Failure to Notify Russian Hacking VictimsIn a letter to FBI director Christopher Wray, Rep. Ted Lieu (D-CA) asked the FBI to brief Congress on the agency's failure to notify victims targeted by the Russian hacking group Fancy Bear. Lieu's letter follows an Associated Press's (AP) investigation which found that the FBI did not notify U.S. officials that their accounts were compromised even though the FBI knew of the targeted cyber attacks and had primary responsibility in the federal government for notification. EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit (EPIC v. FBI) filed earlier this year. The FBI policy calls for notifying victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity). (Nov. 28, 2017)

EPIC Promotes 'Algorithmic Transparency,' Urges Congress to Regulate AI TechniquesIn advance of a hearing on "Algorithms: How Companies' Decisions About Data and Content Impact Consumers," EPIC warned a Congressional committee that many organizations now make decisions based on opaque techniques they don't understand. EPIC told Congress that algorithmic transparency is critical for democratic accountability. In 2015, EPIC launched an international a campaign in support of Algorithmic Transparency. At a speech to UNESCO in 2015, EPIC President Marc Rotenberg called knowledge of the algorithm "a fundamental human right." Earlier this year, EPIC filed a complaint with the FTC that challenged the secret scoring of athletes by Universal Tennis. EPIC said to the FTC that it "seeks to ensure that all rating systems concerning individuals are open, transparent and accountable." (Nov. 28, 2017)

Senator Warner Questions Uber CEO On Why It Hid Data BreachSenator Mark Warner sent a letter to the Uber CEO, Dara Khosrowshahi, questioning him about why the company covered up a data breach that affected 57 million consumers last year. Uber recently admitted that it hid a massive data breach from the public and paid the hackers $100,000 to delete the data. The stolen data included names, e-mail addresses, phone numbers, and drivers' licenses. Senator Warner told the Uber CEO that he had "grave concerns about your handling of a breach," including the fact that the company disclosed the breach to investors but not the public. Senator Warner has co-sponsored bipartisan legislation that would provide consumers with one free credit freeze per year and protect the credit ratings of veterans wrongly penalized by medical bills. EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other ride-sharing companies. (Nov. 28, 2017)

Uber Hid Massive Data Breach For Over A Year And Paid HackersUber just admitted that hackers stole the personal data of 57 million Uber customers and drivers in October 2016. The data included names, e-mail addresses, phone numbers, and the license numbers of 600,000 drivers. Rather than disclose the data breach to the public, as required by law, Uber paid the hackers $100,000 to delete the information. Uber has a well-documented history of abusing consumer privacy. EPIC recently testified in the Senate for strong data breach legislation that would require companies to immediately notify affected consumers of data breaches. EPIC filed a complaint with the FTC in 2015 regarding Uber's egregious misuse of personal data. That complaint led to an FTC settlement with Uber in August, 2017. In 2015, EPIC also proposed a privacy law for Uber and other ride-sharing companies. (Nov. 21, 2017)

Live Audio: D.C. Circuit Hears Arguments in EPIC Voter Privacy Case Concerning Presidential CommissionThe U.S. Court of Appeals for the D.C. Circuit hears arguments today in EPIC’s case against the Presidential Election Commission concerning the unlawful collection of state voter data. Live audio of the arguments will be streamed from this link beginning at 9:30 a.m. ET. EPIC filed suit to halt the Commission’s collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC’s initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the state voter data that was unlawfully obtained. Many states have opposed the Commission’s efforts to obtain state voter data. More than 150 members of Congress have urged the Commission to end the collection of voter data. The Government Accountability Office has opened an investigation to determine whether the Commission has engaged in unlawful action. And one Member of the Commission recently filed suit against the Commission. EPIC’s case is EPIC v. Commission, No. 17-1320 (D.D.C.) & 17-5171 (D.C. Cir.). (Nov. 21, 2017)

Senators Leahy and Lee Introduce USA Liberty Act, Reform for FISA SpyingSenator Patrick Leahy (D-VT) and Senator Mike Lee (R-UT) have introduced the USA Liberty Act to reform surveillance under Section 702 of the Foreign Intelligence Surveillance Act. The Leahy-Lee bill would close the "backdoor search" loophole by requiring a probable cause court order before the government can review the contents of Americans' communications. The Leahy-Lee bill also codifies the ban on collecting "about" communications, mandates the appointment of amicus curiae for review of the surveillance programs, and establishes new reporting requirements. In a Freedom of Information Act lawsuit, EPIC v. NSD, EPIC is seeking the release of a Foreign Intelligence Surveillance Court report detailing the FBI’s use of section 702 data for domestic criminal purposes. (Nov. 20, 2017)

EPIC v. FBI: EPIC Pursues Release of Documents on Russian MeddlingIn the Freedom of Information Act lawsuit EPIC v. FBI, EPIC has filed a motion contending the FBI must release records detailing the Russian interference in the 2016 election. EPIC explained that "a year after the election the full extent of Russian interference remains unknown to the public." EPIC also said the the FBI's failure to release documents "is contrary to law and leave at risk the security of future U.S. elections." The FBI must now file a reply to EPIC's motion. EPIC v. FBI is a part of the new EPIC Democracy and Cybersecurity Project focused on preserving democratic institutions. EPIC has filed related FOIA lawsuits against the DHS, ODNI, and IRS. EPIC also recently pressed the Federal Election Commission to establish transparency for online ads. The FEC voted unanimously to adopt new rules. (Nov. 20, 2017)

EPIC, Coalition Oppose Government's 'Extreme Vetting' ProposalEPIC and a coalition of civil rights organizations have sent a letter to the Acting Secretary of Homeland Security strongly opposing the Extreme Vetting Initiative. A similar letter was sent by technical experts. The government's 'Extreme Vetting' initiative uses opaque procedures, secret profiles, and obscure data including social media post, to review visa applicants and make final determinations. EPIC has warned against both the government's use of social media data and secret algorithms to profile individuals for decision making purposes. EPIC is also pursuing a FOIA request for details on the relationship between the Immigration and Customs Enforcement agency and Palantir, a company that provides software to analyze large amounts of data. (Nov. 16, 2017)

EPIC to House Committee: Privacy Safeguards Apply to Personal Data Sent to GovernmentIn advance of a hearing on "Cyber Threat Information Sharing," EPIC has sent a statement to the House Homeland Security Committee. EPIC urged the Committee to determine whether there are sufficient protections for personal data sent to government agencies. Private companies now have legal authority to transfer data to government agencies outside traditional privacy procedures following passage of the Cybersecurity Information Sharing Act. EPIC and a broad coalition warned that the law will increase monitoring of Internet users and government secrecy. EPIC urged the Congressional committee to carefully examine the "scrubbing" techniques that are intended to remove personally identifiable information before data is transferred to federal agencies. (Nov. 15, 2017)

European Court Adviser Says Facebook Privacy Class Action BarredThe opinion of a key adviser to the European Court of Justice holds that a class action cannot proceed against Facebook, but would permit individual privacy claims to move forward. The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. The opinion from Advocate General Bobek said a "consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers," citing the risk of consumers shopping for the most favorable forums. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also considerDPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights. In 2013, Max Schrems received the EPIC International Champion of Freedom Award. (Nov. 15, 2017)

Senator Leahy Introduces Legislation To Protect Consumer PrivacySenator Patrick Leahy (D-VT), joined by six other Senators, introduced comprehensive legislation to protect consumers from data breach and identity theft. The Consumer Privacy Protection Act of 2017 requires companies to provide notice to consumers after a data breach and meet certain baseline privacy and data security standards. The Consumer Privacy Act also prohibits companies from using a data breach to force consumers into individual arbitration, and would punish companies for concealing security breaches. Senator Leahy stated, "Companies that profit from our personal information should be obligated to take steps to keep it safe." Senator Leahy added, "In today's world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security." EPIC recently testified before the Senate Banking Committee in the wake of Equifax breach calling for consumer control over their personal data. EPIC President Marc Rotenberg also outlined several steps for Congress to reform the credit reporting industry in the Harvard Business Review. (Nov. 15, 2017)

D.C. Circuit to Hear Arguments in EPIC Voter Privacy Case Concerning Presidential CommissionThe U.S. Court of Appeals for the D.C. Circuit will hear arguments next week in EPIC’s case against the Presidential Election Commission concerning the unlawful collection of state voter data. EPIC filed suit to halt the Commission’s collection of state voter data and to compel the Commission to conduct a Privacy Impact Assessment required by law. EPIC’s initial filing led the Commission to suspend the collection of voter data, discontinue the use of an unsafe computer server, and delete the state voter data that was unlawfully obtained. Many states have opposed the Commission’s efforts to obtain state voter data. More than 150 members of Congress have urged the Commission to end the collection of voter data. The Government Accountability Office has opened an investigation to determine whether the Commission has engaged in unlawful action. And one Member of the Commission recently filed suit against the Commission. Arguments in EPIC v. Commission are set for next Tuesday, November 21 at 9:30 a.m. and will be streamed live through the D.C. Circuit’s website.
(Nov. 15, 2017)

Senators Question Social Security Administration about Election Commission RequestA group of Senators has requested information from Social Security Administration about the Presidential Election Commission's controversial plan to compare state voter rolls to the SSA's master database. Vice Chair Kris Kobach announced at the Commission's first meeting that the Commission staff would seek personal data from numerous federal agencies, including the SSA. EPIC filed a FOIA request with the SSA in September seeking records of the Commission's attempts to collect SSA data. "The public must know whether, how, and for what purpose a federal Commission is seeking new personal data from SSA, and how the federal agency has responded to any attempt to collect this data," EPIC wrote. EPIC filed similar FOIA requests with the Department of Justice and Department of Homeland Security. EPIC's case challenging the Commission's collection of state voter data will be argued next Tuesday, November 21 at 9:30 a.m. before the U.S. Court of Appeals for the D.C. Circuit. (Nov. 14, 2017)

EPIC to House Judiciary: FBI Response to Russia Attack Must Be ExaminedFollowing a hearing on Russian Interference with the 2016 U.S. Election, EPIC has sent a statement to the House Judiciary Committee. EPIC urged the Committee to explore whether the FBI Victim Notification procedures were followed once the FBI became aware of the Russian cyberattack on the DNC and the RNC. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents indicate that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The obvious question at this point, said EPIC, is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. In a related FOIA case, EPIC v. ODNI, EPIC is seeking the public release of the complete report of the intelligence community on the Russian interference with the 2016 election. (Nov. 14, 2017)

Senators Urge FEC to Promote Transparency in Online AdsA group of 15 Senators led by Mark Warner (D-VA), Amy Klobuchar, (D-MN) and Claire McCaskell, (D-MO) have urged the Federal Election Commission to improve transparency for online political ads. The Senators stated that, "the FEC can and should take immediate and decisive action to ensure parity between ads seen on the internet and those on television and radio." The Senators emphasized how "Russian operatives used advertisements on social media platforms to sow division and discord" during the 2016 election. EPIC provided comments to the FEC calling for "algorithmic transparency" and the disclosure of who paid for online ads. Senators Klobuchar, Warner, and McCain (R-AZ) have also introduced a bipartisan bill that would require the same disclosures for online political advertisements as for those on television and radio. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to promote election integrity and safeguard democratic institutions from various forms of cyber attack. (Nov. 13, 2017)

House Bill Would Restore FAA's Drone Registration RuleA defense authorization bill released today in the House would restore an FAA drone regulation that was struck down by a federal appeals court earlier this year. The D.C. Circuit had previously ruled that a regulation requiring hobbyists to register their drones violated the FAA Modernization Act, which forbids regulations for "model aircraft." EPIC strongly supports registration for commercial drones but recognizes an exception for hobbyists. EPIC submitted statements to the House Transportation Committee and the Senate Commerce Committee earlier this year emphasizing the unique privacy risks of commercial drones. EPIC is currently challenging the FAA's failure to protect the public from aerial surveillance by commercial drones in federal court. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals, with oral arguments scheduled for January 25, 2018. (Nov. 9, 2017)

Presidential Election Commission Sued by Commission MemberA member of the Presidential Election Commission has sued the Commission, arguing that the Commission has violated the Federal Advisory Committee Act. According to Maine Secretary of State Matthew Dunlap, the Commission violated FACA by "excluding certain members of the Commission from substantively participating in its work" and by "preventing certain members of the Commission from accessing documents made available to some Commission members." EPIC filed the first lawsuit against the Commission, charging that it had violated federal law when it failed to conduct and publish a Privacy Impact Assessment prior to the collection of state voter. EPIC v. Presidential Commission is now before the federal appeals court for the D.C. Circuit. Oral argument is scheduled for November 21, 2017. (Nov. 9, 2017)

FTC Requests Public Comments on Strategic PlanThe FTC released a draft of the FTC 2018-2022 strategic plan for public comment. The plan broadly summarizes the FTC's role in protecting consumers and promoting competition. Federal agencies are required by law to publish a strategic plan every four years. EPIC has stated that the Commission needs to "step up its efforts to protect the privacy interests of American consumers." EPIC wrote to Senate Commerce Committee in advance of a recent hearing on reform proposals for the FTC, stating "the FTC must do more to safeguard American consumers." EPIC also urged the FTC to re-focus an upcoming "workshop on informational injury" on the unprecedented levels of data breach and identity theft in the United States. Earlier this year, EPIC and a coalition of consumer privacy organizations set out"10 Steps for the FTC to Protect Consumers." Comments on the Strategic Plan are due to the FTC by December 5, 2017. (Nov. 9, 2017)

European Court of Human Rights Hears Key Surveillance ChallengeEuropean Court of Human Rights has heard10 Human Rights Organizations v. UK, a legal challenge which will impact surveillance practices around the world. The organizations who brought the case argue that surveillance by UK and US intelligence services violated their fundamental rights. In today's hearing, the groups' legal representative characterized the government's position as "trust us and we will keep you safe." Instead, she called for a "framework to ensure...public authorities are doing no more than is truly proportionate and are only using these very intrusive powers when they're necessary." EPIC filed a brief in the case explaining that the NSA's "technological capacities" enable "wide scale surveillance" and that U.S. statutes do not restrict surveillance of non-U.S. persons abroad. EPIC casebook Privacy Law and Society explores a wide range of privacy issues, including recent decisions of the European Court of Human Rights. (Nov. 7, 2017)

EPIC v. DOJ: Court Orders DOJ to Defend Withholding of FISA ReportsA federal court, ruling in an EPIC FOIA lawsuit, has ordered the Department of Justice to defend the agency's refusal to release portions of its Foreign Intelligence Surveillance Act (FISA) reports. The semiannual reports, prepared for Congressional oversight committees, summarize significant FISA Court decisions and include the total number of FISA applications filed by the government and the number of U.S. persons targeted for surveillance. Though the court ruled that the DOJ can withhold some of the material requested by EPIC, the court found multiple "inconsistencies in the redactions that the government must address." Previously, EPIC's FOIA request and lawsuit led to the release of secret documents about the government's use of pen registers to collect records of private communications. (Nov. 7, 2017)

EPIC Promotes 'Algorithmic Transparency' for Political AdsIn comments to the Federal Election Commission, EPIC urged new rules to require transparency for online political ads. EPIC said voters should "know as much about advertisers as advertisers know about voters." EPIC called for algorithmic transparency which would require advertisers to disclose the demographic factors behind targeted political ads, as well as the source and payment. The FEC reopened a comment period on proposed rules "in light of developments." This week representatives from Facebook, Twitter and Google testified at two Senatehearings on the role that social media played in Russian meddling in the 2016 election. Senators Klobuchar (D-MN), Warner (D-VA), and McCain (R-AZ) have also introduced a bipartisan bill that would require increased disclosures for online political advertisements. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to safeguard democratic institutions from various forms of cyber attack. (Nov. 3, 2017)

White House Cancels Safety Rule for Connected VehiclesThe Trump administration has set aside a proposed rule by the National Highway Transit Safety Association to regulate vehicle-to-vehicle (V2V) technology for all new cars and light trucks. V2V technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA and safety advocates havetouted V2V technology as life-saving, noting that traffic fatalities have surged over the past two years with the increased use of cellphones. The rule was also supported by automakers to establish baseline safety standards. EPIC commented on the proposed rule and urged NHTSA to adopt stronger privacy protections. EPIC also submitted comments to the FTC and NHTSA for a workshop on connected vehicles, recommending that the agencies do more to protect consumer data. Security researchers have provided numerous examples of remote hacking of vehicles. The administration has denied that it has made any final decision on the rule, but it was removed from an OMB list of upcoming regulatory actions. (Nov. 1, 2017)

EPIC Sues Justice Department for Release of Report on 'Backdoor Searches'EPIC has filed a Freedom of Information Act lawsuit against the Department of Justice National Security Division for a report detailing the FBI's warrantless searches for information about U.S. citizens. Section 702 of the Foreign Intelligence Surveillance Act allows conduct warrantless searches of non-U.S. persons in foreign intelligence investigations. But there are concerns that the FBI uses this authority to conduct "backdoor searches" on Americans. In EPIC v. NSD, EPIC seeks the release of a report ordered by the Foreign Intelligence Surveillance Court detailing the FBI's use of section 702 data for domestic criminal purposes. EPIC also recently joined coalition of over 50 organizations calling on lawmakers to establish a warrant requirement before the government can search 702 databases for information about U.S. citizens and residents. The USA Rights Act, now pending in Congress, would end backdoor searches by all federal agencies. (Nov. 1, 2017)

EPIC Supports "Release to One, Release to All" FOIA PolicyEPIC joined a coalition of open government groups to urge government agencies to implement the "Release to One, Release to All" policy for Freedom of Information Act requests. This policy would require federal agencies to post all Freedom of Information Act disclosures online after the information is released to a particular requester. Despite overwhelming positive public comments, the Office of Information Policy at the Department of Justice has failed to finalize the policy. EPIC supports FOIA reforms to promote government transparency and files lawsuits to force disclosure of agency records. Most recently the EPIC Democracy and Cybersecurity Project is pursuing FOIA requests concerning Russian interference with the 2016 Presidential election. (Oct. 31, 2017)

EPIC Urges FTC to Focus on Data Protection at Upcoming WorkshopEPIC has sent a letter to the FTC expressing concerns regarding their upcoming workshop on "Informational Injury." In advance of the workshop, the FTC has asked, "how to best characterize" privacy injuries. EPIC stated, "the injuries consumers face are obvious," in particular the unprecedented levels of data breach and identity theft. EPIC urged the FTC to re-focus the workshop on the questions of why data breach, identity theft, and financial fraud continue to rise in the United States, and how the FTC can do more to address these issues. EPIC recently testified before Congress on consumer data security and the credit bureaus, and has called on the FTC to step up its enforcement to protect consumer privacy. (Oct. 31, 2017)

EPIC Calls on House to Protect Privacy at U.S. SeaportsEPIC submitted a statement to the House Homeland Security Committee in advance of a hearing on "Examining Physical Security and Cybersecurity at Our Nation's Ports." The Committee recently reported favorably "The Border Security for America Act," which would dramatically expand U.S. border surveillance, including a biometric exit data system at U.S. seaports. EPIC has expertise regarding maritime surveillance. EPIC pursued a Freedom of Information Act lawsuit against the Department of Homeland Security concerning the Nationwide Automatic Identification System, a system designed with the support the U.S. Coast Guard to promote boating safety that the DHS has transformed into a surveillance surveillance for monitoring vessels, including recreational vessels operated by U.S. citizens. In the letter to the House Committee, EPIC warned that "many of the techniques that are proposed to enhance border surveillance have direct implications for the privacy of American citizens." (Oct. 30, 2017)

Government Accountability Office to Investigate Presidential Election CommissionThe Government Accountability Office announced this week that it will conduct an investigation into the activities of the Presidential Election Commission. The decision follows a letter by three senators urging the GAO to launch a probe and warning that the Commission’s lack of transparency will “unnecessarily diminish confidence in our democratic process.” Among the issues raised in the letter from the Senators are: “The steps the PACEI has taken to protect any voter information that is has collected” and “The steps the PACEI took to adhere to regulations governing its activity.” EPIC sued the Commission in July for failing to conduct a Privacy Impact Assessment prior to establishing a database of personal voter data. Last week, EPIC urged Congress and the General Services Administration to block the Commission from collecting voter information. EPIC's case is EPIC v. Commission, No. 17-1320 (D.D.C.), and the related appeal is EPIC v. Commission, No. 17-5171 (D.C. Cir.). The argument before the D.C. Circuit Court of Appeals is scheduled for November 21, 2017. (Oct. 27, 2017)

Presidential Memo Promotes Local Drone RegulationsA Presidential Memorandum on "Unmanned Aircraft Systems Integration Pilot Program" seeks to promote local state involvement in "development and enforcement" of Federal regulations as well as "inform the development of future Federal guidelines and regulatory decisions" on drone operations nationwide. As the FAA has failed to establish national standards for privacy, many local governments have passed laws to regulate the use of drones. According to the National Conference on Site Legislation, at least 38 states are considering legislation related to drones in the 2017 legislative session. In 2016, EPIC renewed its suit against the FAA, arguing the agency failed to protect the public from aerial surveillance. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals. Argument will likely take place this fall. (Oct. 26, 2017)

Senate Restores Forced Arbitration, Undermines Data ProtectionThe Senate voted 51-50 (with Vice President Pence breaking the tie) to repeal the CFPB rule that prevented financial companies from forcing consumers into individual arbitration. Fine-print arbitration clauses in consumer contracts have proliferated ever since a pair of Supreme Courtrulings held that courts must enforce these clauses. Equifax generated public outrage after its breach when it lured consumers into signing away their rights to sue the company. As the CFPB found, arbitration clauses that ban class actions inhibit consumers from obtaining meaningful relief and holding financial institutions like Equifax and Wells Fargo accountable when they break the law. Senators Franken (D-MN) and Leahy (D-VT) have introduced legislation that would prohibit companies from denying individuals their right to go to court. EPIC President recently testified before the Senate Banking Committee on the Equifax data breach. Rotenberg said, the "company tried to trick consumer into an arbitration agreement, guaranteeing that there would be few legal remedies for consumers following the breach." (Oct. 26, 2017)

European Court Adviser Says Local Regulators Can Enforce Privacy Laws Against FacebookThe opinion of a key adviser to the European Court of Justice holds that local European data protection authorities can directly enforce privacy laws against Facebook. The case involves a German data protection authority's order to deactivate a local Facebook fan page for illegally tracking users. The opinion from Advocate General Bot said regional data protection authorities can intervene to stop unlawful data practices. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also considerDPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights. (Oct. 24, 2017)

EPIC Asks Senate to Probe Customs & Border Protection Nominee on Facial Recognition, DronesEPIC has sent a letter to the Senate Finance Committee with questions for the next Commissioner of U.S. Customs and Border Protection. The Committee will consider the nomination of Kevin McAleenan to head the CBP at a hearing this week. EPIC raised questions regarding (1) whether Kevin McAleenan would use DACA data for purposes unrelated to DACA eligibility; (2) CBP's use of facial recognition technology; (3) CBP's collection of social media information; (4) CBP's proposed exemption of Privacy Act safeguards for a new agency database; and (5) CBP's use of drones to conduct aerial surveillance on American citizens. EPIC asked "How will CBP ensure that the collection and use of biometric data will not expand beyond the original purpose?" and "Will CBP link images collected by drones with facial biometrics in CBP or DHS databases?" EPIC has submitted comments to DHS and CBP concerning their collection of social media information. EPIC has also filed a FOIA lawsuit seeking documents on CBP's biometric tracking programs and EPIC's Jeramie Scott has written an op-ed for The Hill about CBP's use of facial recognition technology. (Oct. 24, 2017)

FTC Provides Guidance on Voice Recordings and KidsThe Federal Trade Commission has clarified how the Children's Online Privacy Protection Act applies to toys that make voice recordings of children. The Commission's enforcement policy statement stated that an audio file may only be used "as a replacement for written words," and may only be maintained "for the brief time necessary for that purpose." Additionally, "the operator may not make any other use of the audio file in the brief period before the file is destroyed — for example, for behavioral targeting or profiling purposes." EPIC has supported efforts by consumer groups to warn of the risks smart toys pose to childhood development. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of children. The complaint spurred a Congressional investigation and the toy was recalled in Europe. (Oct. 24, 2017)

EPIC Opposes Social Media Data Collection by CBPIn comments to Custom and Border Protection, EPIC opposed the federal agency's proposal to collect social media information, including metadata, for a new intelligence database. CBP also proposed to exempt the database from protections of the Privacy Act and to create numerous "routine uses" for the information. EPIC said that CBP should narrow the Privacy Act exemptions and limit the number of routine uses. In a FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government. EPIC is currently pursuing a FOIA request about a revised DHS plan to require disclosure of social media passwords before allowing entry into the country. (Oct. 24, 2017)

Communications Privacy Directive Moves Forward in European ParliamentEuropean Parliament Committee on Civil Liberties, Justice and Home Affairs - or LIBE Committee - has approved an update to EU communications privacy law in a key step toward finalizing the regulation. The proposed e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Members recommended "privacy by default" settings be standardized, strong encryption by providers, and that users' consent obtained before the use of any personal data. In the U.S., EPIC has urged the Federal Communication Commission to bring U.S. law up to date with a similar, comprehensive approach to communications privacy. Next, the full European Parliament will vote on the legislation this week. (Oct. 23, 2017)

Report: Body Cameras Failed to Improve Police BehaviorIn the largest study to date of police body cameras, a new report concluded that the cameras had no impact on police use of force and civilian complaints. The report is a result of a project in Washington, D.C. to assess the benefits of the body cameras worn by the Metropolitan Police Department. EPIC previously testified before the D.C. City Council, warning of the risks of mass public surveillance and arguing that police body cameras were "an intrusive and ineffective technology that does not address underlying problems with police accountability." (Oct. 20, 2017)

Pew Survey Examines "Future of Truth and Misinformation Online"The Pew Research Center released a report on how to address the spread of digital misinformation in the coming decade. The report's respondents were evenly divided on whether technological advances in the coming decade will fix the problem of misinformation, or only compound it. EPIC President Marc Rotenberg told Pew, "The problem with online news is structural: There are too few gatekeepers, and the internet business model does not sustain quality journalism. The reason is simply that advertising revenue has been untethered from news production." The prevalence of "fake news" was one of the most significant issues in the 2016 presidential election. EPIC's Democracy and Cybersecurity Project seeks to restore integrity in democratic elections. EPIC is also pursuing details of the Russian election interference in FOIA cases against the FBI, the Office of Director in National Intelligence, and the IRS. This week several senators introduced bipartisan legislation to strengthen disclosure requirements for online political ads. (Oct. 20, 2017)

EPIC Opposes DHS Plan for Social Media SurveillanceIn comments to the Department of Homeland Security, EPIC opposed a plan to add social media information to the official files of all immigrants. EPIC said the DHS proposal threatens First Amendment rights, risked abuse, and would disproportionately impact minority groups. A coalition of organizations also submitted comments to express concern about the proposal. EPIC previously opposed a Customs and Border Protection proposal to collect social media identifiers from visa applicants. In a FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government. EPIC is currently pursuing a FOIA request about a revised DHS plan to require disclosure of social media passwords before allowing entry into the country. (Oct. 19, 2017)

EPIC Urges Congress, GSA to Suspend Collection of State Voter DataIn a letter to a Senate oversight committee, EPIC urged Congress and the incoming Administrator of the General Services Administration to block the Presidential Election Commission from collecting state voter data. As EPIC recently explained in a case before a federal judge in Washington, DC, the Commission is part of the GSA and must comply with that agency’s requirement to conduct a Privacy Impact Assessment prior to the collection of personal data. In the letter to the Senate Committee, EPIC wrote that "the very last thing that the Senate Committee or the incoming GSA Administrator should tolerate is a federal entity that seeks to avoid legal obligations to protect the privacy of Americans." The Commission was previously forced to suspend the collection of voter data in response to EPIC's lawsuit, but it later resumed that process. EPIC's case is EPIC v. Commission, No. 17-1320 (D.D.C.), and the related appeal is EPIC v. Commission, No. 17-5171 (D.C. Cir.). The argument before the D.C. Circuit Court of Appeals is scheduled for November 21, 2017. (Oct. 19, 2017)

Senate Bill to Improve Transparency and Accountability for Online Political AdsSeveral senators announced a bipartisan bill to make online political advertisements more transparent. The Honest Ads Act is a direct response to Russian interference in the 2016 election, which included political ads on Facebook, Google and Twitter. The bill, co-sponsored by Senators Klobuchar (D-MN), Warner (D-VA), and McCain (R-AZ), would impose the same disclosure requirements for online ads as for TV and radio ads. "First and foremost this is an issue of national security — Russia attacked us and will continue to use different tactics to undermine our democracy," Senator Klobuchar said. The FEC also announced on October 10 that "in light of developments" it would reopen for public comment its disclosure rules for online political ads. EPIC is fully engaged in the challenge of protecting democracy by promoting cybersecurity and election integrity. EPIC has filed several FOIA lawsuits to determine the scope of Russian interference. The cases include: EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records). (Oct. 19, 2017)

Scrutiny of Presidential Election Commission GrowsThe Presidential Election Commission is coming under increasing scrutiny from lawmakers and even its own members. On Tuesday, Commissioner Matthew Dunlap charged that the Commission had given him "utterly no information" about the Commission's activities. Dunlap involved the public records statute to demand documents about the Commission he sits on. Members of the Senate Judiciary Committee are also demanding records from the Department of Justice about the Department's possibly unlawful coordination with the Commission. Questions have also been raised about the Commission's hiring practices. The Commission was previously forced to suspend the collection of voter data in response to EPIC's lawsuit, but it recently resumed that process. EPIC has urged state election officials not to release any voter information until the Commission conducts a Privacy Impact Assessment. EPIC's case is EPIC v. Commission, No. 17-1320 (D.D.C.), and the related appeal is EPIC v. Commission, No. 17-5171 (D.C. Cir.). The argument before the D.C. Circuit Court of Appeals is scheduled for November 21, 2017. (Oct. 18, 2017)

In Senate Testimony, EPIC Calls for Reform of Credit Reporting IndustryEPIC's President Marc Rotenberg will testify this week before the Senate Banking Committee on reform of the credit reporting industry following the Equifax breach. The hearing, "Consumer Data Security and the Credit Bureaus," followsseveralCongressionalhearings with Equifax CEO Richard Smith. Rotenberg will emphasize the need to limit the use of the Social Security number in the private sector and to give consumers control over their personal data. EPIC will recommend a national credit "freeze" and free life-term credit monitoring services for all U.S. consumers. Rotenberg detailed how the credit reporting industry is broken in a recent article in the Harvard Business Review. He also warned that the failure to update U.S. privacy law has placed the digital economy at risk and may lead to the suspension of trans-border data flows. EPIC has previously testified before the House and Senate on the need for Congress to address data breach and identity theft. (Oct. 16, 2017)

Consumer Groups Ask Safety Commission to Recall Google HomeEPIC and a coalition of leading consumer groups have asked the Consumer Product Safety Commission to recall the Google Home Mini "smart speaker." The touchpad on the Google device is permanently set to "on" so that it records all conversations without a consumer's knowledge or consent. The consumer groups said that "as new risks to consumers arise in consumer products, it is the responsibility of the Consumer Product Safety Commission to respond." The groups also urged the Safety Commission to enforce the Duty to Report to CPSC against manufacturers of "IoT" devices. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of young children. The Cayla complaint spurred a Congressional investigation and toy stores across Europe removed the doll from their shelves. (Oct. 13, 2017)

EPIC Urges House to Strengthen US Privacy Laws for Cross Border Data FlowsEPIC sent a letter to a House committee on Digital Commerce and Consumer Protection for the hearing "21st Century Trade Barriers: Protectionist Cross Border Data Flow Policy's Impact on U.S. Jobs." EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take four steps to update U.S. privacy law: (1) enact the Consumer Privacy Bill of Rights, (2) modernize the Privacy Act, (3) establish an independent data protection agency, and (4) ratify the International Privacy Convention. EPIC also noted that the Schrems II decision calls into question the viability of "Privacy Shield," the current data transfer scheme between the US and EU. (Oct. 12, 2017)

EPIC, Open Government Groups Call for Release of Trump's Tax ReturnsEPIC and a coalition of leading open government organizations have urged the Joint Committee on Taxation and the IRS Commissioner to release Donald Trump's tax returns to correct numerous misstatements of fact concerning the President's financial ties to Russia, such as "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." These statements have been directly contradicted by his attorneys, members of his family, and various news reports. The IRS Commissioner, with the approval of the Joint Committee on Taxation, is authorized to release tax records to "correct misstatements of fact," and the agency exercised the authority ten times in one year. EPIC is also pursuing a lawsuit against the IRS after the agency failed to release Trump's tax records in response to a FOIA request. EPIC v. IRS is now pending before the D.C. Circuit Court of Appeals. (Oct. 11, 2017)

EPIC Defends User Privacy in Case Concerning hiQ Labs "Scraping" of Personal DataEPIC has filed an amicus brief in hiQ Labs, Inc. v. LinkedIn Corp., a case concerning the use of personal data provided by Internet users to LinkedIn. A lower court ordered LinkedIn to provide LinkedIn user data to hiQ Labs, a data analytics firm that scores employees and provides secret intelligence to employers about "flight risk." EPIC argued that, "the lower court has undermined the fiduciary relationship between LinkedIn and its users." EPIC also said the order is "contrary to the interests of individual LinkedIn users" and contrary to the public interest "because it undermines the principles of modern privacy and data protection law." Siding with neither party, EPIC urged reversal to protect online privacy. EPIC routinely participates as amicus curiae in cases concerning consumer privacy. (Oct. 11, 2017)

No Plans to Target Dreamers Using DACA DataA Department of Homeland Security official told the Senate Judiciary Committee today that the agency has no "plans to target any Dreamers based on any information [they] have received." James McCament Acting Director of Immigration Services said that DHS will adhere to the 2012 Privacy Impact Assessment, which limits the use of personal data obtained from DACA applicants. EPIC earlier recommended that DHS comply with the Privacy Impact Assessment and the federal Privacy Act. (Oct. 4, 2017)

EPIC Sues Department of Homeland Security for Release of Russian Interference RecordsEPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain records related to Russian interference in the 2016 U.S. Presidential Election. Earlier this year, the DHS has designated state election systems as critical infrastructure and published a Joint Analysis Report acknowledging Russian interference with U.S. election systems. However, DHS has not provided any significant new information to the American public about the extent of the Russian interference. EPIC now seeks disclosure of the agency's "research, integration, analysis" related to the scope of Russian interference. EPIC's FOIA lawsuit follows H.Res. 235, a bill sponsored by Rep. Thompson (D-MS) that would have directed the DHS to provide this information to Congress, but was blocked by the House Homeland Security Committee. EPIC has filed several FOIA lawsuits to determine the scope of Russian interference. The cases include: EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records). (Oct. 4, 2017)

EPIC Recommends Measures to Protect Seniors from RobocallsEPIC sent a letter to the Senate Committee on Aging in advance of a hearing on robocalls and fraud against seniors. EPIC explained that "criminals target senior citizens, believing they are wealthy and will be unable to detect crime or report that a crime has occurred." In comments to the FCC earlier this year, EPIC expressed support for regulations that would allow block unsolicited calls from invalid numbers. EPIC told the Committee that the FCC rule could protect seniors and other consumers from predatory robocalls. (Oct. 4, 2017)

EPIC, Coalition Call for End to Warrantless Section 702 Searches of Americans' DataEPIC and a coalition of over 50 organizations called on lawmakers to require federal agencies to obtain a probable cause warrant before searching foreign intelligence databases for information about U.S. citizens and residents. Section 702 of the Foreign Intelligence Surveillance Act allows agencies - without a warrant and in a broad range of circumstances - to search for information about Americans among communications collected for foreign intelligence purposes. In a letter to leaders of the House Judiciary Committee, the groups explained that this practice "undermine[s] constitutional protections create an unacceptable loophole to access Americans' communications in criminal and foreign intelligence investigations alike." EPIC and a coalition also recently urged Director of National Intelligence Dan Coates to uphold a promise to give a public estimate of how many Americans are caught up in NSA surveillance of foreign targets. EPIC is currently pursuing a Freedom of Information Act request for a government report to the Foreign Intelligence Surveillance Court about FBI search of Section 702 data for domestic criminal investigations. (Oct. 3, 2017)

European High Court to Consider Future of Personal Data Transfers to USThe European Court of Justice will now hear a second case on legal protections for personal data sent from Europe to the United States. Data Protection Commissioner v. Facebook considers whether Facebook’s transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The Irish High Court ruled this week that there are “well-founded concerns that there is an absence of an effective legal remedy in U.S. law” and referred the matter to the high court of Europe. The case in Ireland follows the landmark 2015 decision Schrems v. DPC, which found insufficient legal protections for the transfer of data to the United States. In the Irish case, Max Schrems, an Austrian privacy advocate, challenged Facebook’s transfer of personal data to the U.S. under “standard contractual clauses.” EPIC was designated the US NGO amicus curiae in DPC v. Facebook, and provided a detailed assessment of US privacy law. EPIC was represented before the Irish court by FLAC (Free Advice Legal Centres), an independent human rights organization, based in Dublin. (Oct. 3, 2017)

EPIC Obtains Documents about DARPA's "Brandeis" ProgramEPIC has received documents about the Defense Advanced Research Projects Agency's (DARPA) Brandeis Program, following a 2015 FOIA request. According to the agency, the program is intended to "research and develop tools for online privacy." EPIC obtained over 1,100 pages of documents about the Program. The documents include email communications (parts 1, 2, 3), budget appropriation justifications for fiscal year’s 2015 (parts 1, 2) and 2016 (parts 1, 2), as well as the names of contract awardees. According to the documents obtained by EPIC, the $75 million program provided $75 million over 4.5 years. Contract recipients include UC Berkley, UC Irvine, MIT, Carnegie Mellon University, Raytheon, SRI International, Stealth Software Technologies, and Galois. (Oct. 2, 2017)

Court Rules New York "Ballot Selfie" Ban is ConstitutionalA federal court has ruled that a New York state ban on the posting of "ballot selfies" is constitutional. "New York has a compelling interest in preventing vote buying and voter coercion," the court wrote. "The State's interest in the integrity of its elections is paramount." Ballot selfies allow campaigns, employers, unions, and others to find out how an individual voted. But as EPIC explained in "The Secret Ballot At Risk: Recommendations for Protecting Democracy," the secret ballot—the inability to link particular voters to particular votes—is a cornerstone of modern democracies. The secret ballot reduces the threat of coercion, vote buying and selling, and tampering. EPIC has a long history of working to protect voter privacy and election integrity. In a 2010 Supreme Court case, EPIC argued that disregard for voter privacy may unconstitutionally burden the right to vote. (Sep. 29, 2017)

EPIC has filed a letter brief in a video privacy case concerning ESPN’s collection of viewer data. The court in Eichenberger v. ESPN, Inc. is trying to determine whether consumers can bring lawsuits based on a violation of federal privacy law after the Supreme Court’s decision in Spokeo v. Robins, a case about “standing” to sue. EPIC filed a brief in support of Eichenberger, arguing that "the history and judgement of Congress leaves little doubt that Congress believed a violation of the Act would be a concrete injury." EPIC also explained "a court is not empowered to override congressional judgments as to which injuries should be legally protected.” EPIC testified before the Senate about the history and purpose of the Video Privacy Protection Act. EPIC has also filed several amicusbriefs on standing to sue in consumer privacy cases.

(Sep. 28, 2017)

EPIC Files Appeal to DC Circuit, Seeks Release of Trump Tax ReturnsEPIC has appealed the decision of a federal district court which ruled that the IRS can withhold President Trump's tax records sought by EPIC under the Freedom of Information Act. EPIC had argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning the President's financial ties to Russia, such as "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." In response to a FOIA request from EPIC, the IRS recently acknowledged that it has used this authority 10 times in one year. But the district court said the power was a "rare bird" and concluded that "until President Trump or Congress authorizes release of the tax returns, EPIC (and the rest of the American public) will remain in the dark." EPIC v. IRS is one of three leading open government cases concerning Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC is seeking the release of the complete report on the scope of the attack. In EPIC v. FBI, EPIC is seeking information about the FBI's response to the attack. (Sep. 28, 2017)

EPIC Urges Senate to Block Biometric Collection At US AirportsEPIC has sent a statement to the Senate Commerce Committee following a hearing on the Transportation Security Administration. EPIC urged the Committee to limit the collection of biometric data at US airports. EPIC described the growing and regulated use of biometrics in US airports, often targeting US citizens. EPIC previous pursued a significant lawsuit against the TSA to limit the use of body scanners. EPIC is currently seeking records from Customs and Border Protection concerning the agency's use of facial recognition for a biometric entry/exit program at airports. EPIC has also objected to a proposal to increase the collection of biometric data for the TSA Pre-Check program. (Sep. 28, 2017)

EPIC Calls for Greater FTC EnforcementIn advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders. (Sep. 28, 2017)

EPIC Backs Commission on Evidence-Based Policymaking, Urges Congress to Take Steps to Preserve PrivacyIn a statement to Congress, EPIC expressed support for the findings of the Commission on Evidence-Based Policymaking. Congress established the Commission to study how data across the federal government could be combined to improve public policy while protecting privacy. The Commission's report recommends new privacy safeguards and encourages broader use of statistical data. EPIC submitted comments to the Commission urging the adoption of Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. Several of EPIC's recommendations were incorporated in the Commission report. A report from the National Academies of Science earlier this year examined federal data sources and privacy. (Sep. 26, 2017)

CBP Plans to Exempt Social Media Data from Legal ProtectionsCustoms and Border Protection has published a system of records notice for the "Intelligence Records System." The agency proposes to exempt the database from many Privacy Act safeguards. The database contains detailed personal data from social media and commercial data services. CBP will use the "Analytical Framework for Intelligence" to secretly profile and evaluate social media users. In the FOIA lawsuit EPIC v. CBP, EPIC uncovered Palantir's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to U.S. travelers. EPIC is now pursuing a FOIA request to Immigration and Customs Enforcement seeking details of the agency's relationship with Palantir. (Sep. 22, 2017)

DC Court: Warrantless Tracking with "Stingray" Violates Fourth AmendmentThe D.C. Court of Appeals has ruled that warrantless use of a cell-site simulator or "stingray" violates the Fourth Amendment. The court found that Stingray devices enable "officers who possess a person's telephone number to discover that person's precise location remotely and at will." The court held that the use of a Stingray invaded a reasonable expectation of privacy and thus, was a Fourth Amendment search. EPIC recently filed a brief in a U.S. Supreme Court case arguing that warrantless location tracking violates the Fourth Amendment. EPIC has also promoted oversight of Stingrays by law enforcement agencies. An EPIC FOIA lawsuit in 2012 revealed that the FBI was using stingrays without a warrant, and that the FBI provided Stingrays to other law enforcement agencies. EPIC has also filed amicusbriefs in federal and states courts arguing that cell phone location data is protected by the Fourth Amendment. (Sep. 22, 2017)

Senators Introduce Data Breach Legislation In The Wake Of Equifax BreachSenator Markey (D-MA) and several other Senators have introduced legislation that would provide consumers with more control over their personal data. The Data Broker Accountability and Transparency Act would allow consumers to access and correct their personal data and stop data brokers from using, disclosing, or selling their information for marketing purposes. The bill also requires data brokers to develop comprehensive privacy and data security measures and provide "reasonable notice" in the event of a breach. For years, EPIC has supported stronger data breach notification laws, and EPIC has testified before the Senate and House in support of a federal law. EPIC supports consumer control over personal data, and EPIC recommends mandatory breach notification procedures to ensure the consumers are aware when their personal data is wrongly obtained by others. Additionally, last year EPIC created http://www.dataprotection2016.org/ to promote the adoption of stronger privacy safeguards in the U.S. (Sep. 15, 2017)

Justice Department Exempts "Insider Threat" Database from Privacy Act SafeguardsThe Department of Justice has issued a final rule on the "Insider Threat" database, a program that allows federal agencies to gather virtually unlimited amounts of personal data on individuals based on broad and ambiguous standards. The Department of Justice exempted itself from Privacy Act safeguards that would limit the collection of personal data, and allow individuals access to their information maintained by the federal agency. In detailed comments, EPIC opposed the exemptions sought by the Justice Department. EPIC also questioned whether that information would be adequately protected. The Justice Department responded to EPIC and acknowledged increases in data breaches in both the public and private sectors but stated that the agency had proper safeguards in place to guard against "anticipated threats." (Sep. 15, 2017)

EPIC Urges Senate To Establish Data Protection Standards For Financial TechnologiesIn advance of a hearing on financial technology, EPIC recommended that the Senate Committee establish privacy standards for financial companies that use social media and secret algorithms to make determinations about consumers. In light of the recent Equifax breach, EPIC proposed that the Committee make privacy and security its top priorities. Earlier this year, EPIC submitted a similar statement to the House Committee on Energy and Commerce. EPIC also recently filed a complaint with the CFPB regarding "starter interrupt devices" deployed by auto lenders to remotely disable cars when individuals are late on their payments. Testimony of Professor Frank Pasquale on "Exploring the Fintech Landscape." (Sep. 11, 2017)

FTC Announces Privacy Shield Settlement but Imposes No PenaltiesThe Federal Trade Commission announced today a settlement with three companies that misrepresented their participation in the Privacy Shield arrangement. The Privacy Shield allows companies to transfer the personal data of European consumers to the United States based on a system of industry self-certification. The FTC settlement prohibits the companies from making future false claims about compliance with Privacy Shield, but does not impose any penalty. The FTC settlement also fails to provide any remedy to the EU consumers whose personal data was wrongfully obtained, nor does it require the companies to disgorge the data they fraudulently obtained. EPIC and consumer organizations in the US and Europe have criticized Privacy Shield for failing to establish basic privacy protection and lacking effective remedies. The FTC is now soliciting public comments on the proposed settlements, and the deadline to file a comment is October 10, 2017. (Sep. 8, 2017)

In one of the most serious data breaches in U.S. history, the credit records of more than 140 million consumers, maintained by Equifax, have been compromised. Credit reports typically include social security numbers, drivers license infomation, and other personal data that make possible identity theft and financial fraud. Senator Warner said the breach, “represents a real threat to the economic security of Americans." For years, EPIC has urged Congress to strengthen privacy laws and to require Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. In 2011, EPIC testified before the House and the Senate on the specific risk of data breaches in the financial services sector. Equifax has set up www.equifaxsecurity2017.com to help consumers. But last year EPIC created www.dataprotection2016.org to promote the adoption of stronger privacy safeguards in the U.S.

(Sep. 8, 2017)

Federal Commission Backs Evidence-Based Policies, Strong Privacy SafeguardsThe Commission on Evidence-Based Policymaking, which was tasked with studying whether and how data across the federal government could be combined for policy research while protecting privacy, has issued its final report. The Commission backs evidence-based policy, recommends new privacy safeguards including Privacy Enhancing Techniques, encourage broader use of statistical data, and recommends the creation of a National Secure Data Service. In testimony before the Commission, EPIC President Marc Rotenberg promoted both innovative privacy safeguards and well informed public policy. EPIC also filed comments with the Commission urging adoption of Privacy Enhancing Techniques, such as anonymization, that minimize or eliminate the collection of personal data. The National Academies of Sciences released a report earlier this year that examined how disparate federal data sources can be used for policy research while protecting privacy. (Sep. 7, 2017)

Houses Automated Vehicle Bill Lacks Privacy Standards, Would Preempt State SafeguardsThe House of Representatives has passed the "SELF DRIVE Act" to encourage the deployment of "automated vehicles" in the United States. Responding to widespread privacy concerns, the bill requires manufacturers to create "privacy plans" and asks the FTC to prepare a privacy study on the automated vehicle industry. The bill supports the development of "Privacy Enhancing Techniques," such as anonymization. But the SELF DRIVE Act lacks essential privacy and safety standards and would preempt stronger state laws. EPIC has repeatedlyurgedCongress and federalagencies to establish strong public safety standards for automated vehicles. EPIC also backs state efforts to develop privacy and safety safeguards. (Sep. 7, 2017)

Medicare to Remove SSN from ID CardsEarlier this year, the Center Medicare Services announced that the Social Security Number would be removed from the Medicare benefits card. Senators Susan Collins and Claire McCaskill led the effort in the Senate to remove the SSN, which contributed to identity theft and often targeted seniors. EPIC testified before their Senate Committee in 2015 on "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" EPIC explained that "there is no other form of individual identification that plays a more significant role in record-linkage and no other form of personal identification that poses a greater risk to personal privacy." Since its founding, EPIC has sought to limit the use of the Social Security Number on identification documents. (Sep. 5, 2017)

European Court of Human Rights Rules Employee Monitoring Violates Privacy RightsThe European Court of Human Rights has ruled that a company's dismissal of an employee based on monitored chat logs violates the fundamental right to privacy. In Barbulescu v. Romania, the Court found that the right to private life and correspondence in Article 8 of the European Convention on Human Rights protects workplace communications. As a result, employees are entitled to prior notice about the extent and type of monitoring their employer conducts. Last year, EPIC intervened in a case before the European Court of Human Rights challenging the activities of British and U.S. intelligence organizations. The casebook Privacy Law and Society (West 2016) explores a wide range of privacy issues, including recent decisions of the Court of Human Rights. (Sep. 5, 2017)

Court Rules California Police Can't Avoid Public Scrutiny of License Plate Reader ProgramThe California Supreme Court ruled that the mass, indiscriminate collection of license plate data by California police cannot be shielded from public scrutiny. In response to an open records request by EFF and the ACLU of Southern California, Los Angeles area law enforcement attempted to prevent disclosure by claiming all license plate data were "investigative records." The court ruled that the license plate data of millions of law-abiding citizens was not an "investigative record." The Court stated, "It is hard to imagine that the Legislature intended for the records of investigations exemption to reach the large volume of data that plate scanners and other similar technologies now enable agencies to collect indiscriminately." EPIC filed an amicus brief in the public records case stating, "Public scrutiny is essential to counter the unique threats posed by these programs of broad-scale surveillance." Documents obtained by EPIC about the FBI's use of license plate readers showed the agency failed to address the system's privacy implications. (Aug. 31, 2017)

EPIC Supports Continuation of CAN-SPAM RuleEPIC has submitted comments to the Federal Trade Commission recommending the continued use of the CAN-SPAM Rule. The FTC Is reviewing the CAN-SPAM Rule, which regulates the transmission of commercial e-mail messages and prohibit certain unlawful practices, as part of a periodic review of Commission rules. EPIC expressed support for the continuation of the Rule and proposed strengthening the Rule by implementing a domain name based "Do Not E-mail" list and making it easier for consumers to opt-out of have their e-mails included in third-party e-mail lists. EPIC testified before the Senate in 2003 in support of the CAN-SPAM Act. EPIC regularly advocates for rules that protect consumers from harassing and annoying phone calls and e-mails. (Aug. 31, 2017)

Trump Nominee to Head Privacy Board Favors Warrantless SurveillanceDonald Trump has nominated Adam Klein to head the Privacy & Civil Liberties Oversight Board (PCLOB). Klein, a senior fellow at the Center for a New American Security, recently testified that Congress should not require agencies to obtain a court order to query data collected under Section 702 of the Foreign Intelligence Surveillance Act, facilitating warrantless surveillance. As Judge Patricia Wald recently stated in remarks at the EPIC Champions of Freedom Dinner, "an agency dedicated to protecting privacy and civil liberties inside the intelligence community with access to classified material is a uniquely valuable asset in the ever difficult search for the right balance between national security and democratic values." EPIC recently urged the Senate Judiciary Committee to restore PCLOB to full strength. (Aug. 31, 2017)

Court Criticizes Presidential Election Commission for Withholding Documents from the PublicA federal judge in Washington, DC expressed disbelief this week at the Presidential Election Commission’s failure to disclose documents from the July 19 inaugural public meeting. The Commission failed to make available to the public the meeting agenda and a 381-page “voter fraud” report prepared by a special interest group that was circulated privately to Commission members. Speaking at a court hearing, the federal judge overseeing the case criticized the Commission for failing “to live up to the government’s representations," about transparency. The Commission is attempting to assemble a nationwide database of voter data over the objections of state election officials. But earlier this summer, the Commission suspended collection of voter data in response to a lawsuit brought by EPIC. EPIC’s case, which calls for the disclosure of a Privacy Impact Assessment prior to the collection, is now on appeal to the D.C. Circuit Court of Appeals. (Aug. 31, 2017)

Following EPIC Complaint, Uber Agrees To Stop Tracking RidersUber has ended the practice of tracking customers before and after they are picked up. In 2015, Uber announced the company would track the location of riders from the time they ordered a ride until after they had reached their destination. EPIC promptly filed a complaint with the FTC and stated that "This collection of user's information far exceeds what customers expect from the transportation service." The end to Uber's tracking of riders comes two weeks after Uber entered into a consent agreement with the FTC following a complaint filed EPIC that highlighted Uber's history of misusing customer data. But EPIC said the FTC settlement does not go far enough. "The FTC should have imposed stronger sanctions on Uber, required the company to disgorge the personal data it had unlawfully obtained, and required the company to restore the original privacy settings," said EPIC President Marc Rotenberg. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases. (Aug. 29, 2017)

2018 Intelligence Authorization Reflects Concerns About Russian HackingIn the proposed intelligence reauthorization for 2018, the Senate has included provisions reflecting widespread concern about the Russian interference in the 2016 election. Among other requirements, S. 1761 mandates a report to Congress detailing the past cyber attacks on election infrastructure and the risk of future attacks, as well as a report assessing the intelligence community response to the attacks. The bill also gives the intelligence community 90 days to develop a strategy to counter the threat of future Russian cyber attacks. And the bill requires the Director of National Intelligence to submit to Congress a report assessing the "threat of Russian money laundering to the United States." EPIC raised similar concerns in a series of leading open government cases concerning the Russian interference. In EPIC v. FBI, EPIC is seeking information about the FBI's response to the attacks and has obtained the FBI Notification Procedures that should have been followed after a cyber attack. In EPIC v. ODNI, EPIC is seeking the release of the complete intelligence report on the scope of the Russian attack. And in EPIC v. IRS, EPIC is seeking to obtain the public release of Donald Trump’s tax returns. (Aug. 25, 2017)

Supreme Court of India Rules Privacy is a Fundamental RightIndia's Supreme Court has ruled that privacy is a fundamental right under the Indian Constitution. In a unanimous ruling, the Court explained the "right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution." The Court also recognized that "Informational privacy is a facet of the right to privacy" and modern privacy risks are caused by both the public and private sector. The ruling may impact significant cases pending in India, including a challenge to Aadhaar, India's massive biometric identification system, and WhatsApp's privacy policy change. In 2009 NGOs and privacy experts set out the Madrid Privacy Declaration, which affirmed privacy as a fundamental human right. In 2010, EPIC urged the US Supreme Court to recognize the right of "informational privacy." EPIC explained that the Whalen decision and a famous German census case, "influenced international privacy jurisprudence, resulting in the widespread recognition of the right to informational privacy." EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world. (Aug. 24, 2017)

Appeals Court OKs Collusive Google Privacy SettlementA divided federal appeals court has upheld a decision that allows Google to continue consumer privacy violations by means of a collusive settlement. Though the case concerns Google's illegal disclosure of personal data from 129 million consumers, the settlement fails to compensate those consumers, does nothing to change Google's business practices, and diverts funds to organizations that don’t protect consumer privacy. The dissenting judge wrote that the settlement "raises a red flag" because "47% of the settlement fund is being donated to the alma maters of class counsel." EPIC twiceurged the lower court to reject the settlement, arguing that it did nothing for class members and would allow Google to "continue to engage in the privacy-invading practice." EPIC has long urged courts to reject collusive settlements and has proposed objective criteria for courts to follow in class action cases. (Aug. 23, 2017)

Justice Department Withdraws Demand for Disruptj20 Visitor LogsFacing public outrage, the Department of Justice has rescinded a demand for over 1.3 million IP logs associated with Inauguration Day protests. DreamHost challenged the warrant, which required the web hosting service to turn over practically all records about disruptj20.org, a protest website. The Justice Department warrant could have identified protestors, threatened First Amendment protections, and violated the Fourth Amendment. After widespread opposition, the DOJ narrowed the demand to exclude visitor logs and unpublished content, such as posts and emails. EPIC opposed the DOJ's demand as it had in an earlier case involving Google search histories. EPIC also recently an amicus brief in the Supreme Court urging the Court to safeguard the First Amendment right to access information online free of government surveillance. (Aug. 23, 2017)

EPIC Appeals Voter Data Privacy DecisionEPIC has appealed a federal district court ruling that allowed the Presidential Election Commission to move forward with a controversial plan to gather state voter data in a White House database. EPIC told the D.C. Circuit Court of Appeals that the Commission was obligated to undertake a Privacy Impact Assessment before amassing voters’ personal information. EPIC's case, which led the Commission to suspend the collection of voter data in July, after EPIC's lawsuit revealed agency incompetence, is before the D.C. Circuit on an expedited basis. The case is EPIC v. Commission, No. 17-5171 (D.C. Cir. filed July 27, 2017). (Aug. 18, 2017)

EPIC v. IRS: District Court Rules IRS May Withhold Trump Tax RecordsA federal court in Washington, DC has ruled that the IRS may withhold President Trump's tax records sought by EPIC under the Freedom of Information Act. EPIC had argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning the President's financial ties to Russia. The President, for example, tweeted: "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING!" However, the Court ruled that “until President Trump or Congress authorizes release of the tax returns, EPIC (and the rest of the American public) will remain in the dark." EPIC v. IRS is one of three leading open government cases concerning Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC is seeking the release of the complete report on the scope of the attack. In EPIC v. FBI, EPIC is seeking information about the FBI’s response to the attack. EPIC will continue to pursue the release of President’s Trump’s tax records and related evidence of financial relations with the Russian government. (Aug. 18, 2017)

Justice Department Demands 1.3 Million IP Logs From Inauguration Protest WebsiteFederal prosecutors in Washington, DC are demanding that an internet hosting service turn over vast amounts of personally identifying data from a website used to organize Inauguration Day protests, including a reported 1.3 million IP logs. DreamHost, the hosting service, has refused to comply with the government's warrant. In a court filing DreamHost argued that prosecutors are attempting "to identify the political dissidents of the current administration" and that the government's data demand is far too broad. In 2006, EPIC opposed a similar government demand—later dropped—for week's worth of search queries entered into Google. EPIC recently filed an amicus brief in the Supreme Court urging the Court to safeguard the First Amendment right to read in the digital era. (Aug. 15, 2017)

After EPIC Privacy Complaint, Uber Settles with FTCAfter an EPIC complaint about Uber's privacy practices, Uber has entered into a consent agreement with the FTC. The agreement prohibits Uber from misrepresenting how it monitors or secures consumer information. As with most FTC privacy settlements, the agreement also requires Uber to implement a comprehensive privacy program and obtain periodic independent third-party audits. In 2015, EPIC filed a complaint with the Federal Trade Commission charging that Uber's plan to track users and gather contact details was an unlawful and deceptive trade practice. EPIC cited Uber's history of misusing customer data as one of many reasons the Commission should act. EPIC has previously pursued successful FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases. (Aug. 15, 2017)

EPIC Amicus - Ninth Circuit Upholds Consumers’ Right to Sue for Privacy ViolationsA federal appeals court ruled today that consumers have the right to file suit when companies report inaccurate credit information about them. Spokeo, the “people search” website, argued that it couldn’t be sued for publishing false information because there was no “concrete" harm. The case went to the Supreme Court, where EPIC filed an amicus brief urging the Court not to "limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." On closer consideration, the Ninth Circuit U.S. Court of Appeals concluded that companies can’t duck the legal consequences when they violate laws that “protect consumers’ concrete interests”—including their right to privacy. “[G]iven the ubiquity and importance of consumer reports in modern life—in employment decisions, in loan applications, in home purchases, and much more—the real-world implications of material inaccuracies in those reports seem patent on their face,” the Court wrote. “[I]t makes sense that Congress might choose to protect against such harms without requiring any additional showing of injury.” EPIC regularly files amicus briefs defending consumer privacy, and filed several amicus briefs after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.
(Aug. 15, 2017)

EPIC FOIA: EPIC Seeks Details of ICE, Palantir DealEPIC has submitted a Freedom of Information Act request to Immigration and Customs Enforcement seeking details of the agency's relationship with Palantir. The federal agency contracted with the Peter Thiel company to establish vast databases of personal information, and develop new capabilities for searching, tracking, and profiling. EPIC is seeking the ICE contracts with Palantir, as well as training materials, reports, analysis, and other documents. The ICE Investigative Case Management System and the FALCON system now connect personal data across federal government, oftentimes in violation of the federal Privacy Act. The Intercept reported that FALCON "will eventually give agents access to more than 4 billion 'individual data records.'" In FOIA lawsuit EPIC v. CBP, EPIC uncovered Planter's role in Analytical Framework for Intelligence, a program that assigns "risk assessment" scores to travelers. EPIC continues to advocate for greater transparency in computer-based decision making. (Aug. 15, 2017)

Pew Survey Explores the Future of Online TrustThe Pew Research Center has released a report of its survey of experts on "The Fate of Online Trust in the Next Decade." Although nearly half (48%) of the over 1,000 respondents said that they expected trust to increase, 24% predicted that trust would decrease. "Technology is far outpacing security, privacy and reliability," said EPIC President Marc Rotenberg in the survey. "The problem will intensify with the Internet of Things, as the internet connects more machines in the physical world." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes,"consumer products, and "always on" devices. (Aug. 14, 2017)

House Releases Text of Automated Vehicle Bill, Preempts State ActionThe House Committee on Energy & Commerce recently approved text for a bill on automated vehicles. The bill prevents the states from issuing any rule or regulation that is not identical to a Federal Motor Vehicle Safety Standard, preventing states from issuing their own safety and privacy regulations to safeguard consumers. The bill also calls for automated vehicle manufacturers to have cybersecurity and privacy plans, however it does not address who owns the data collected by automated vehicles or how consumers can access or delete their data. EPIC has opposed federal preemption for automated vehicle regulation and has repeatedly urged federal agencies and Congress to allow states to craft their own privacy and security regulations to protect public safety. EPIC has also recommended that consumers control the personal information that is created and stored by the vehicles they operate, rent, and own. (Aug. 10, 2017)

UK Government Releases Statement of Intent Describing New Data Protection BillThe UK has released a statement of intent describing a forthcoming bill that would make major revisions to the the country's data protection law. The new rules would follow the EU's General Data Protection Regulation by strengthening rules for obtaining consent, making it easier for consumers to withdraw consent, and improving consumers' ability to access, move, and remove data about themselves. The bill would also expand the definition of "personal data" to include DNA and IP addresses and would make it a crime to re-identify individuals from anonymized data. EPIC supported the GDPR and the right to be forgotten, has explained that IP addresses are personal data, and has warned of the risks of improperly "de-identified" data. EPIC recently filed a complaint asking the FTC to investigate Google's use of a proprietary, secret algorithm Google claims can "de-identify" consumers while tracking their purchases. (Aug. 10, 2017)

State Department Moves Forward Plan to Collect Social Media Identifiers of Visa ApplicantsThe State Department filed a notice this week seeking comment on the agency's plan to make permanent the collection of social media identifiers from individuals applying for visas to enter the U.S. The public comment period is open until October 2, 2017. The State Department previously requested emergency approval for the plan. EPIC opposed the State Department initiative, and in comments earlier this year, urged the agency to drop the plan. EPIC argued that the proposal threatens privacy, First Amendment rights, risked abuse, and would disproportionately impact minority groups. (Aug. 4, 2017)

EPIC Amicus - DC Circuit Upholds Right of Data Breach Victims to Seek Legal ReliefA federal appeals court in Washington, D.C. has ruled that consumers may sue companies that fail to safeguard their personal data. Consumers sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The appeals court agreed with EPIC that the lower court was wrong to dismiss the case. "No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm," the Court wrote. EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges. (Aug. 1, 2017)

EPIC Urges Congress to Focus on FCC and PrivacyEPIC has sent a statement to the House Commerce Committee for a hearing on the Federal Communications Commission. EPIC urged the Committee to affirm the FCC's role in protecting online privacy. EPIC also asked the Committee to press the nominees to repeal a FCC regulation that requires the retention of telephone customer records for 18 months. EPIC filed a petition urging the repeal of this mandate more than two years ago and the FCC recently docketed the petition for public comment. Every comment received by the FCC favored the EPIC petition to end the data retention mandate. EPIC has submittedmultiplecomments to the FCC for strong online privacy protections. (Jul. 27, 2017)

EPIC has sent an Advisory to state election officials, urging opposition to the renewed request for state voter data. The EPIC Advisory follows a letter from the Presidential Election Commission to state election officials. Following EPIC’s lawsuit, seeking a temporary restraining order, the Commission suspended collection of the data. The court ruled on the TRO motion, which EPIC has now appealed. The recent letter falsely claims that the Commission is only seeking “publicly available information.” In fact, the Commission’s June 28 letter called for the release of social security numbers, criminal records, military statuses, and other personal information protected by state laws. California Secretary of State Alex Padilla, and many state election officials, have reaffirmed their opposition to the Commission's effort to gather state voter data.

(Jul. 27, 2017)

EPIC to Senate Judiciary: FBI Response to Russia Attack Must Be ExaminedFollowing a hearing on Russian Interference with the 2016 U.S. Election, EPIC has sent a statement to the Senate Judiciary Committee. EPIC urged the Committee to explore whether the FBI Victim Notification procedures were followed once the FBI became aware of the Russian cyberattack on the DNC and the RNC. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents indicate that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The obvious question at this point, said EPIC, is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. In a related FOIA case, EPIC v. ODNI, EPIC is seeking the public release of the complete report of the intelligence community on the Russian interference with the 2016 election. (Jul. 27, 2017)

European Court Halts Retention, Bulk Transfer of Passenger DataThe top EU Court has struck down an EU-Canada agreement on the processing of airline passenger records. The Passenger Name Record agreement mandated data retention and permitted the bulk transfer of personal data provided by passengers booking a flight. The Court of Justice of the EU explained "the PNR agreement may not be concluded in its current form because several of its provisions are incompatible with the fundamental rights recognised by the EU." The data can reveal "a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health." The European Digital Rights Initiative praised the outcome. The EU and US have a similar agreement that permits retention of personal data for 15 years. EPIC has criticized overbroad passenger data transfers, and argued the EU-US agreement violates the EU data protection directive. (Jul. 26, 2017)

EPIC v. ODNI: EPIC Opposes Intelligence Agency Refusal to Release Russia ReportEPIC has opposed the Director of National Intelligence’s refusal to release a critical government report about Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC seeks the public release of the agency’s report on the Russian interference. EPIC filed suit after the ODNI published only a limited, declassified version of the report. In filings in federal district court, EPIC explained that the ODNI’s failure to provide EPIC partial information cannot satisfy the Agency’s obligations under the FOIA. EPIC stated that release is “necessary for the public to evaluate the Intelligence Community response to the Russian interference, assess threats to democratic institutions, and ensure that agencies are taking appropriate measures to protect U.S. electoral institutions against future attack.” Long after the attack on U.S. democratic institutions, “significant information asymmetry between the public and its government remains,” EPIC said. EPIC v. ODNI is a part of the EPIC Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Jul. 25, 2017)

EPIC Appeals Decision in Voter Data CaseEPIC has appealed the decision of a federal district court which declined to block the collection of sensitive voter data by the Presidential Election Commission. EPIC had argued that the Commission failed to complete a Privacy Impact Assessment before collecting voter data and violated the constitutional right to information privacy. Though the district court agreed that EPIC had standing to bring the lawsuit, the court concluded that it couldn't halt the data collection because, according to the court's opinion, the Commission is exempt from the obligation to undertake a privacy assessment. EPIC's case, which led the Commission to suspend the collection of voter data two weeks ago, will now be reviewed on an expedited basis by the U.S. Court of Appeals for the District of Columbia. "Absent expedited review," EPIC warned, "the Commission will be allowed to systematically amass the sensitive, personal information of the nation's voters without establishing any procedures to protect voter privacy or the security and integrity of the data." The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 25, 2017)

EPIC to Congress: Examine Facial Recognition Surveillance at the BorderEPIC has sent a statement to the House Homeland Security Committee in advance of a hearing on "Technology's Role on Securing the Border." EPIC alerted the Committee to EPIC's recent FOIA lawsuit about the federal government's deployment of a biometric "entry/exit tracking system," including at US airports. A recent Executive Order on immigration will push forward the biometric identification system, and will include citizens returning to the U.S. EPIC has warned that biometric identification techniques, such as facial recognition, lack proper privacy safeguards. EPIC noted that the federal agency pursuing the border identification program is also deploying drones, and should comply with state laws and a 2015 Presidential Memorandum that limit drone surveillance. (Jul. 24, 2017)

EPIC's Voter Data Case Moves Forward After Court Denies Injunction A federal district court in Washington, DC has denied EPIC’s motion for an injunction against the Presidential Election Commission and declined to block the Commission’s nationwide collection of voter data. As EPIC told the court last week, the Commission failed to undertake and publish a Privacy Impact Assessment before collecting voter data and violated the constitutional right to information privacy. The court agreed that EPIC had “standing” to bring the case because the Commission had “an obligation to disclose information” and because the Commission’s actions “required [EPIC] to expend resources” in order to obtain a Privacy Impact Assessment. But the court concluded that it could not halt the Commission’s plan to aggregate millions of voter records because the Commission is exempt from statutes that govern the conduct of federal “agencies.” The court noted, however, that “this determination may need to be revisited” at a later time. The court also warned the Commission must “strictly abide” by promises to only collect information that is “already publicly available” and to “de-identif[y]” voter data “to the extent it is made public.” EPIC intends to press forward with the lawsuit, which led the Commission to suspend the collection of voter data two weeks ago. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). [Press Release] (Jul. 24, 2017)

Civil Rights, Voting Rights Groups File Suits to Block Release of Voter DataThe Texas NAACP and the League of Women Voters of Texas have filed suit against state election officials to prevent the transfer of personal voter data to the Presidential Election Commission. "The information sought by the Commission is not widely available in Texas, but instead may be released only under certain circumstances and conditions imposed by Texas's voting laws," the complaint reads. The suit notes that the state's disclosure of election records to the Commission, "even if cabined to information generally available to candidates or other organizations who are entitled to request voter information under Texas law, would undermine, and run afoul of, the State's carefully-crafted regulation of the use of voter data." The Texas case joins at least two other lawsuits—one in Florida and one in New Hampshire—seeking to block state officials from providing voter data to the Election Commission. In Washington DC, EPIC has filed suit against the Commission and is urging a federal court to issue a preliminary injunction. The Commission suspended the collection of personal voter data last week in response to EPIC's lawsuit. The Court is expected to rule on EPIC's motion shortly. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 21, 2017)

70 Members of Congress Oppose Election Commission's Request for State DataA group of more than 70 U.S. Representatives sent a letter to the Presidential Election Commission on Tuesday urging the Commission to "immediately" withdraw a nationwide request for state voter data. "The federal government has an obligation to protect the personally identifiable information of the American people," the letter reads. "We believe your June 28 request to the States would do the opposite by ignoring the critical need for robust security protocols when transmitting and storing sensitive personally identifiable information and by centralizing it in one place." As the letter notes, the Commission suspended the collection of personal voter data last week in response to EPIC's lawsuit. EPIC has asked a federal court in Washington, DC to issue an injunction against the Commission and indefinitely block the transfer of election records. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 19, 2017)

FBI Warns of Privacy Risks with Internet-Connected ToysThe FBI released a Public Service Announcement warning consumers about the privacy risks of internet-connected toys. "Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions," the FBI wrote in the PSA, adding that the toys "could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed." Last year, EPIC and several consumer organizations filed a complaint with the Federal Trade Commission alleging that the "My Friend Cayla" doll violates U.S. privacy law. EPIC's complaint spurred a congressional investigation and toy stores across Europe have removed Cayla from their shelves. (Jul. 18, 2017)

UPDATE - EPIC Files Reply, Urges Court to Block Collection of State Voter RecordsIn a brief filed this afternoon in Washington, DC, EPIC urged a federal court to issue a temporary restraining order and prevent the collection of state voter records by the Presidential Election Commission. Calling the Commission’s plans to “collect the nation’s voting records” “outside of the privacy laws” that protect personal data “alarming and absurd,” EPIC asked the Court to block this "ill-conceived, poorly executed, and unlawful plan.” EPIC warned that the Commission has “already revealed personally identifiable information” from those who have expressed opposition to the plan. In the original motion, EPIC argued that the Commission had failed to undertake and publish a Privacy Impact Assessment, failed to issue a Federal Advisory Committee Act notice, and violated the constitutional right to information privacy. The Commission, which temporarily suspended the program last week in response to EPIC’s lawsuit, filed an opposition brief earlier on Monday. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 17, 2017)

In Voter Privacy Case, EPIC Files Amended Motion, Seeks to End Collection of Records by Presidential CommissionIn a motion filed today, EPIC urged a federal court to issue a preliminary injunction to block the collection of state voter records by the Presidential Election Commission. The Commission suspended collection of personal voter data earlier this week in response to EPIC's lawsuit. But as EPIC told the court, "the threat to voter privacy and democratic institutions remains. The Commission intends to move forward, pending this Court's determination. It has established a new server within the White House to receive the voter data. It has advised state election officials that further communications regarding this undertaking are forthcoming." A response from the Commission is due Monday, July 17. The Commission is scheduled to hold its first public meeting on July 19, in Washington, DC. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 13, 2017)

Congress Defends Power of Local Authorities to Regulate Drone PrivacyBoth the Senate and House are considering bi-partisan drone bills to protect the ability of states and local government to safeguard privacy. The House's Drone Innovation Act, sponsored by Rep. Jason Lewis (R-MN) and the Senate's Drone Federalism Act, sponsored by Sen. Diane Feinstein (D-CA), would ensure that FAA regulations do not preempt legitimate interests of local governments to protect personal privacy. Earlier this year, EPIC submitted a statement to the House Transportation Committee and a statement to the Senate Commerce Committee to emphasize the unique privacy risks of drones. EPIC explained that the FAA has failed to establish necessary privacy safeguards and that the states must be free to protect privacy interests. In 2015, EPIC sued the agency, arguing the FAA failed to protect the public from aerial surveillance. EPIC v. FAA is currently before the D.C. Circuit Court of Appeals. Argument will likely take place this fall. (Jul. 12, 2017)

Senators Demand Presidential Election Commission Rescind Its Request for Voter DataTwenty-four Senators have sent a letter to the Presidential Election Commission demanding that the Commission abandon its attempt to collect nationwide voter data. "This request is unprecedented in scope and raises serious privacy concerns," the Senators wrote. "The requested data is highly sensitive and after recent data breaches and cyber-attacks targeting our election infrastructure, we are deeply concerned about how the Commission will maintain the security and privacy of the data." The Senators also wrote that "the Commission's lack of focus on legitimate threats, such as foreign cyber-attacks on our election infrastructure," was "troubling." In EPIC v. Commission, EPIC is seeking to block the Commission from obtaining state voter records. (Jul. 11, 2017)

In Voter Privacy Case, EPIC Sues White House IT DirectorEPIC has sued the White House IT Director as part of EPIC's ongoing case to block the transfer of sensitive voter data to the Presidential Election Commission. The White House IT Director, as well as the Commission, are required by law to publish a Privacy Impact Assessment before collecting any personal information. As EPIC explained to the Court earlier today, "The Commission may not play 'hide the ball' with the nation's voter records. With such vast demands for personal information come commensurate responsibilities to provide security and privacy, and to comply with all legal obligations." The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 11, 2017)

In Voter Privacy Case, EPIC Urges Court to Issue TROIn a court filing on Tuesday, EPIC urged a federal court to issue a temporary restraining order to block the collection of voter data by the Presidential Election Commission. "The Commission may not play 'hide the ball' with the nation's voter records," EPIC wrote. "With such vast demands for personal information come commensurate responsibilities to provide security and privacy, and to comply with all legal obligations. Surely that is fundamental for an organization charged with promoting 'election integrity.'" On Monday, the Commission suspended the collection of voter data in response to EPIC's suit. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 11, 2017)

EPIC Obtains Privacy Procedures for IRS Private Debt CollectionAs the result of a Freedom of Information Act request to the IRS, EPIC has obtained hundreds of documents detailing procedures that bind private debt collectors dealing with U.S. taxpayers. Following a Congressional mandate, the IRS outsourced debt collection for some U.S. taxpayers to private debt collection agencies. Transfer of personal and financial data to private entities raises data security and privacy concerns, and also makes scams and threatening phone collection tactics easier to perpetrate. A group of U.S. senators has already accused one of the four companies of engaging in abusive and illegal phone contacts. The documents obtained by EPIC show how the IRS monitors the companies and the procedures companies must follow when contacting taxpayers. EPIC also obtained the privacy and data security requirements imposed on the debt collectors, details of how they must handle complaints, andtheIRScontractsforallfourcompanies. In FOIA lawsuit EPIC v. IRS, EPIC is also seeking therelease of President Trump's Tax records from the agency. (Jul. 10, 2017)

Court Sets Monday Deadline in EPIC Voter Privacy CaseA federal court set a Monday, 4 p.m. deadline for the government to file a brief in EPIC v. Commission. The court is expected to rule shortly in EPIC's lawsuit to block the President's Election Commission from collecting state voter records from across the country. In a series of filings with the court, EPIC explained that the Commission failed to prepare a Privacy Impact Assessment as required by Federal law. EPIC also charged that the Commission's demand for detailed voter histories violated the Constitutional right to privacy. And EPIC explained that the Commission has already committed multiple egregious security blunders, including directing state election officials to send voter records to an unsecure website that is not approved for storing the public's personal data. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 10, 2017)

EPIC Files Response to Election Commission in Voter Privacy CaseIn a reply filed today in federal district court, EPIC charged that the President's Election Commission "has conceded the obvious: the privacy implications of this unprecedented demand for voter roll data from across the country are staggering." EPIC rebutted every point in the government's response, noting that the Commission often failed to cite any support for its extraordinary claims to gather personal data outside of federal privacy law. Members of the EPIC Advisory Board, experts in computer technology, contributed affidavits that underscored the vulnerabilities of the Commission's plan to aggregate personal voter data. EPIC also called Vice Chair Kobach's statements "alternately misleading or meritless." EPIC said the Commission's actions "places at risk the privacy interests of registered voters across the country." In EPIC v. Commission, EPIC is seeking to block the transfer of sensitive voter data to a Presidential Commission on Election Integrity. EPIC explained to the Court that it has "a clear likelihood of success on the merits." (Jul. 6, 2017)

EPIC Provides Suggestions for "Self-Driving" Vehicle LegislationEPIC has sent a statement to Congress ahead of a hearing to discuss proposed self-driving vehicle legislation. The House Energy & Commerce Committee drafted several bills related to the development and deployment of "self-driving" vehicles. EPIC urged the Committee not to pre-empt states from issuing their own self-driving vehicle regulations, to encourage developers to be transparent in the development of autonomous vehicles, and to urge that advocacy groups be included in connected car advisory councils. EPIC has been a leadingadvocate for privacy and safety in the development of connected and autonomous vehicle and has participated in workshops, written to NHTSA, and activelyinformedCongress of privacy and safety related developments in connected and autonomous vehicles. (Jul. 5, 2017)

EPIC Urges TSA to Consider Alternative to Biometric CollectionIn comments to the Transportation Security Administration, EPIC urged the agency to consider alternatives to expanding the collection of biometric identifiers for the TSA Pre-Check application. EPIC explained the potential for biometric identifiers to be used for purposes other than determining eligibility for Pre-Check and the substantial personal privacy risks for applicants if the databases associated with Pre-Check were compromised. EPIC also proposed privacy enhancing alternatives, such as limiting the storage of biometric identifiers or providing information on how to have information removed from databases associated with Pre-Check. EPIC routinely highlights the risks of large, overbroad government databases and the privacy risks inherent in the collection of biometric information. (Jul. 5, 2017)

Kobach Responds in EPIC Case to Block Release of State Voter RollsIn a declaration filed in federal court in Washington, DC, Kris Kobach, Kansas Secretary of State and Vice Chair of the Presidential Advisory Commission on Election Integrity, said that he “intended” that the voter data he requested from the states not be sent by email (the letter to the states indicated otherwise). Kobach also said that “the Commission intends to maintain the data on the White House computer systems.” Kobach acknowledged that “numerous states have indicated that they will decline to provide all or some portion of the information, in some cases because state law prohibits such transfer of information.” Kobach also said, “As of July 5, 2017, no Secretary of State had yet provided to the Commission any of the information requested in my letter.” There is no indication that the Commission has completed a Privacy Impact Assessment or complied with the requirements of the Federal Advisory Committee Act. EPIC filed an emergency motion earlier this week to block the disclosure of state voter information to the Commission, calling the data demand a violation of the Constitutional right to privacy. The Department of Justice has filed an opposition. (Jul. 5, 2017)

EPIC FOIA: EPIC Seeks Details of Election Commission Demand for Voter DataEPIC has submitted an urgent FOIA request for details of the Election Commission's attempt to gather voter records from state election officials. The Commission requested dates of birth, party affiliation, partial SSNs, voter history, and felony convictions and military service status. EPIC wants the Commission to turn over records about compliance with the Federal Advisory Committee Act, the Privacy Act, and the E-Government Act. EPIC is also seeking communications among Commission officials as well as information about the failure to conduct a Privacy Impact Assessment. Over 40 states now partially or fully oppose the request for voter records. In a related lawsuit, EPIC v. Commission, EPIC has filed for a Temporary Restraining Order to block the Commission's efforts. (Jul. 5, 2017)

In Voter Privacy Case, EPIC Files for Temporary Restraining OrderEPIC today filed for a Temporary Restraining Order to block a demand from a Presidential Commission for millions of state voter records. In papers filed in federal district court in Washington, D.C., EPIC explained that the Commission failed to produce and publish a Privacy Impact Assessment, required by Federal law. EPIC also charged that the Commission’s demand for detailed voter histories violated the Constitutional right to privacy. And EPIC explained that the Commission had already committed two egregious security blunders—(1) directing state election officials to send voter records to an unsecure web site and (2) proposing to publish partial SSNs that would enable identity theft and financial fraud. The Court gave the government until Wednesday, July 5 to file an opposition. EPIC will then file a reply. A ruling is expected by the end of the week. The EPIC lawsuit follows a letter from 50 voting experts and 20 privacy organizations urging state election officials to oppose the Commission’s demand. The case is EPIC v. Commission, No. 17-1320 (D.D.C. filed July 3, 2017). (Jul. 3, 2017)

Experts, Privacy Groups Oppose Demand for State Voter RecordsIn a letter to state election officials, more than 50 experts and 20 privacy organizations have urged the states to oppose a request from a Presidential Advisory Commission for voter records. The recently formed Commission is seeking comprehensive voter data from all 50 states, including dates of birth, political party, partial SSNs, voter history, and information regarding felony convictions and military services. The letter from the voting experts and privacy organizations says, “This is sensitive personal information that individuals are typically required to provide to be eligible to vote. There is no indication how the information will be used, who will have access to it, or what safeguards will be established.” The letter also notes that the Presidential Commission may have failed to complete a Privacy Impact Assessment, required by federal law, prior to the collection of personal data. California, among other states, has said it will oppose the request. (Jun. 30, 2017)

EPIC Recommends National Safety Standard for "Self-Driving" VehiclesIn remarks today to a joint workshop of the FTC and NHTSA, EPIC President Marc Rotenberg called for the establishment of national safety standards prior to the deployment of "self-driving" vehicles on the nation's highways. "Given the current vulnerabilities of networked communications, self-driving vehicles are simply unsafe at any speed," said Mr. Rotenberg. EPIC has participate in numerous NHTSA rule makings on auto safety, proposed stronger data protection standards for connected vehicles, and sided with consumers in a case concerning the risks of autonomous vehicles. In extensive comments for the FTC/NHTSA workshop, EPIC pointed to known vulnerabilities with bluetooth communications, auto hacking, "level 3" control, malware and ransomware, auto repossession remote deactivation, and safety defects. EPIC urged the FTC and NHTSA to focus on "data protection, vehicle safety, consumer protection, and privacy." EPIC also said that the ability of states to develop safety standards must be maintained. EPIC warned that the failure to establish robust safety standards could be "catastrophic." (Jun. 28, 2017)

Google Faces Record Fine for Monopolistic Search PracticesEuropean antitrust officials have imposed a $2.7 billion fine on Google for favoring its own services over competitors on Google search, which now dominates 90% of the market in Europe. It is the largest antitrust fine in European history. European Commissioner Margrethe Vestager stated "Google has abused its market dominance in search by promoting its own services and demoting its competitors. What Google has done is illegal under EU antitrust rules. It has denied other companies the chance to compete on the merits and to innovate. And most importantly, it has denied European consumers the benefits of competition, genuine choice, and innovation." Google competitors and news organizations, based in the United States, favored the outcome. Over many years, EPIC had urged the US government to take a closer look at Google's anti-competitive practices. In testimony before the Senate Judiciary Committee in 2007, EPIC warned that Google's growing dominance of online advertising would diminish user privacy and market competition. In a statement to the FTC in 2011, EPIC explained that Google altered the search rankings of YouTube after it acquired the company to preference Google's content over that of competitors and NGOs, including EPIC. In 2012, EPIC told the FTC that "Google's business practices raise concerns related to both competition and the implementation of the Commission's consent order." EPIC later sued the FTC for its failure to enforce the consent order. (Jun. 27, 2017)

EPIC v. ODNI: Intelligence Agency Opposes Release of Report on Russian HackingIn a motion filed in EPIC v. ODNI, the government contends that it is not obligated to review a critical government report for even partial release under the Freedom of Information Act. EPIC filed the lawsuit for the release of the complete report on the Russian interference with the 2016 election after the ODNI published a limited, declassified version. "The ODNI should release the complete report to EPIC so that the public and the Congress can understand the full extent of the Russian interference with the 2016 Presidential election," EPIC President Marc Rotenberg told POLITICO. "It is already clear that government secrecy is frustrating meaningful oversight. The FBI, for example, will not even identify the states that were targeted by Russia." EPIC will challenge the agency's response as the litigation continues in federal district court in Washington, DC. EPIC v. ODNI is one of several FOIA suites EPIC is pursuing under the new EPIC Democracy and Cybersecurity Project focused on preserving democratic institutions. In EPIC v. IRS EPIC seeks release of President Trump's Tax records. In EPIC v. FBI, EPIC has already obtained the Bureau's procedures for notifying organizations that are the target of a cyber attack. (Jun. 27, 2017)

TSA Proposal to Inspect Books at US Airports Raises First Amendment ConcernsThe TSA is considering a requirement to remove books from carry-on luggage for inspection during security screenings. The procedure raises concerns that individuals may be singled out for their religious and political beliefs, implicating core First Amendment values. In 2015 a college student won a $25,000 settlement after he was detained by the TSA for carrying Arabic flash cards. EPIC has pursued litigation against invasive airport screening techniques. In EPIC v. DHS, EPIC successfully sued to require the Department of Homeland Security to obtain public comment on the use of body scanners in U.S. airports. The litigation also led to the removal the backscatter x-ray devices from airports. EPIC recently filed a FOIA request to determine why US travelers returning to the United States are subject to biometric identification. In numerous cases, including a recent case before the US Supreme Court, EPIC has argued for the freedom to without government surveillance. (Jun. 27, 2017)

EPIC Pursues Release of Trump Tax Returns in IRS FOIA CaseEPIC filed a court brief Monday opposing an attempt by the Internal Revenue Service to dismiss EPIC's FOIA lawsuit for President Trump's tax returns. EPIC filed the suit for the tax records on April 15 after the IRS refused to process EPIC's FOIA Request for the President's returns. The IRS responded by asking the court to dismiss the case, insisting that the agency did not have to process EPIC's request because the President's consent had not been obtained. As EPIC told the court on Monday, the IRS focused on the wrong law, ignoring a provision that gives EPIC a right to access the President's tax records without consent. EPIC explained that the agency's argument "is irrelevant to the processing of this particular FOIA request." EPIC v. IRS is one of three leading open government cases concerning Russian interference with the 2016 Presidential election. In EPIC v. ODNI, EPIC is seeking the release of the complete report on the scope of the attack. In EPIC v. FBI, EPIC is seeking information about the FBI’s response to the attack. (Jun. 27, 2017)

Supreme Court Won't Review Ruling on Secretive Sentencing AlgorithmsThe Supreme Court has declined to review the ruling of a state court that upheld the use of a secret algorithm to determine a criminal sentence. The petitioner Loomis argued that he was not able to assess the fairness or accuracy of the legal judgement, and that the secret "risk assessment" algorithm therefore violated fundamental Due Process right. EPIC has pursued several related cases to establish the principle of algorithmic transparency in the United States. In EPIC v. DHS, EPIC obtained documents about secret behavioral algorithms that purportedly determine an individual's likelihood of committing a crime. In a series of state FOI cases, EPIC obtained records from state agencies about the use of propriety DNA analysis tools to determine guilt or innocence. EPIC is currently litigating EPIC v. CBP before the DC Circuit Court of Appeals, a case concerning the secret scoring of airline passengers by the federal government. (Jun. 26, 2017)

EPIC Urges Senate Judiciary Committee To Restore PCLOB to Full StrengthIn advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a statement to the Senate Judiciary Committee urging increased public reporting of the government's surveillance activities under section 702. EPIC also highlighted the need to restore the Privacy and Civil Liberties Board (PCLOB) to full strength. As Judge Patricia Wald recently stated in remarks at the EPIC Champions of Freedom Dinner, "an agency dedicated to protecting privacy and civil liberties inside the intelligence community with access to classified material is a uniquely valuable asset in the ever difficult search for the right balance between national security and democratic values." EPIC testified before the House Judiciary Committee in support of increased transparency during the 2012 FISA reauthorization hearings. Analysis of 702 reform by Prof. Laura Donohue. (Jun. 23, 2017)

EPIC Urges Senate Intelligence to Ask FBI about Agency Response to Russia AttackIn advance of the hearing on Russian Interference with the 2016 U.S. Election, EPIC has sent a statement to the Senate Intelligence Committee. EPIC urged the Committee to ask the FBI witness whether the FBI Victim Notification procedures were followed once the FBI became aware of the Russian cyberattack on the DNC and the RNC. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents indicate that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The obvious question at this point, said EPIC, is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. In a related FOIA case, EPIC v. ODNI, EPIC is seeking the public release of the complete report of the intelligence community on the Russian interference with the 2016 election. EPIC sent a similar letter to the House Intelligence Committee. (Jun. 20, 2017)

EPIC Urges Congress to Examine FBI's Biometric Identification ProgramEPIC has sent a statement to the House Appropriations Committee in advance of a hearing on the FBI's budget. EPIC urged the Committee to examine the FBI's Next Generation Identification program. EPIC explained that the program "raises far-reaching privacy issues that implicate the rights of Americans all across the country." The FBI biometric database is one of the largest in the world, but the Bureau proposed to exempt the database from Privacy Act protections. EPIC and others supported strong safeguards for the program. In an early FOIA case against the FBI, EPIC obtained documents which revealed high error levels in the biometric database. EPIC has recently filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense. (Jun. 20, 2017)

EPIC Recommendations for Tech Week Meeting: Protect U.S. ConsumersIn advance of a White House / OSTP meeting on "emerging technologies," EPIC has sent a statement to the Office of Science and Technology Policy. EPIC urged the Administration to focus on consumer protection and address the numerous privacy and security risks related to the "Internet of Broken Things." EPIC recommended recommended Privacy Enhancing Technologies, data minimization, and security measures for Internet-connected devices. EPIC also urged the Administration to issue regulations on drone privacy as mandated by Congress and to establish minimum safety standards for connected cars. EPIC warned that "The unregulated collection of personal data and the growth of the Internet of Things has led to staggering increases in identity theft, security breaches, and financial fraud in the United States." (Jun. 20, 2017)

EPIC Urges Swift Action on FCC Data Retention MandateIn a statement to the Senate Committee on Appropriationst, EPIC asked Congress to obtain assurances from the FCC Chair to repeal the FCC regulation that requires telephone companies to keep customer's phone records for 18 months. EPIC warned that the regulation "places at risk the privacy of users of network services." Two years ago, EPIC, joined by consumer privacy organizations, technical experts, and legal scholars, submitted a formal petition to the FCC, calling for the repeal of the data retention ruie. The FCC recently docketed the petition and accepted public comments on the matter. All of the commentators favored the EPIC petition to end the mandate. The next step will be for the FCC to begin a Rulemaking to Repeal 47 C.F.R.§42.6 ("Retention of Telephone Records"). (Jun. 20, 2017)

Supreme Court: Social Media Ban Violates First AmendmentThe U.S. Supreme Court ruled today in Packingham v. North Carolina, striking down a state law that barred people listed on a sex offender registry from accessing commercial websites that allow minors to register and communicate. The North Carolina ban covered major news sites such as the Washington Post and CNN. "[T]o foreclose access to social media altogether is to prevent the user from engaging in the legitimate exercise of First Amendment rights," the Court wrote. "Even convicted criminals—and in some instances especially convicted criminals—might receive legitimate benefits from these means for access to the world of ideas, in particular if they seek to reform and to pursue lawful and rewarding lives." EPIC filed an amicus brief in the case, joined by 30 technical experts and legal scholars, explaining that the state law violated the right to receive information, censored vast amounts of speech unrelated to protecting minors, and encouraged widespread government monitoring of all internet users. Justice Ginsburg quoted EPIC's brief at oral argument, and the justices' written opinions noted policies and studies cited in the EPIC brief. EPIC frequently files amicus briefs on emerging privacy and civil liberties issues. (Jun. 19, 2017)

EU Parliament Releases Draft Report on ePrivacy DirectiveThe European Parliament's Committee on Civil Liberties, Justice, and Home Affairs has released a draft report on regulations for privacy and electronic communications. The draft contains several proposals to strengthen online privacy, including end-to-end encryption in all electronic communications and a ban on encryption backdoors. Protecting the privacy of communications is "an essential condition for the respect of other related fundamental rights and freedoms," according to the report. EPIC has urged the FCC to follow developments with the ePrivacy Directive and has recommended the use of end-to-end encryption in applications including commercial e-mail and connected cars. (Jun. 19, 2017)

EPIC Seeks "Long Standing" DOJ Policy for Withholding Communications from CongressEPIC has filed an urgent Freedom of Information Act request for the "long standing" DOJ policy for withholding from Congress communications between the Attorney General and the President. On June 13, 2017 Attorney General Sessions testified before the Senate Select Committee on Intelligence regarding the Russian interference in the 2016 Presidential election. The Attorney General refused to answer many questions, citing a "long standing" DOJ practice not to share "communications" between the AG and the President or "comment on [such] conversations" for "confidential reasons." EPIC has filed a formal FOIA request with the Department of Justice seeking public release of the DOJ policy, described by the Attorney General. (Jun. 16, 2017)

EPIC Tells Congress US-UK Surveillance Agreement Should be Made PublicEPIC has sent a statement to the House Judiciary Committee for a hearing on "Data Stored Abroad." According to news reports, the United States and the United Kingdom are drafting a secret agreement for transnational access to personal data that would bypass legal and judicial safeguards. In November 2016, EPIC filed a FOIA Request for the draft US-UK agreement. The Justice Department recently informed EPIC that responsive documents had been located and would be referred to the State Department for additional processing. EPIC has long pursued public release of international agreements. In 2016, EPIC obtained the "Umbrella Agreement," concerning the transfer of personal data from the EU to the US, after a successful Freedom of Information Act lawsuit. (Jun. 14, 2017)

IRS Opposes EPIC's FOIA Suit for Trump Tax ReturnsThe Internal Revenue Service has asked a court to dismiss EPIC's FOIA lawsuit for President Donald Trump's tax records. EPIC filed the suit on April 15 after the IRS refused to consider a FOIA request for the President's returns. As EPIC told the court, "There has never been a more compelling FOIA request presented to the IRS." EPIC also explained that IRS Commissioner is empowered to release tax returns to "correct misstatements of fact" and to ensure the "integrity and fairness" of the tax system. In yesterday's filing, the IRS conceded that "the FOIA provides an adequate remedy in this case" but insisted that the agency did not have to process EPIC's request or release any records. (Jun. 13, 2017)

DOJ Requests $21.6 million to Tackle EncryptionDuring a Senate Appropriations budget hearing today, Deputy Attorney General Rosenstein said that the use of unbreakable encryption "severely impairs our ability to conduct investigations." The Department of Justice is requesting $21.6 million to "counter the treat of Going Dark." Last year, EPIC filed an amicus brief in Apple v. FBI in support of encryption. EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. (Jun. 13, 2017)

Court Rules Secret Scoring of Teachers UnconstitutionalA federal district court has held that firing public school teachers based on the results of a secret algorithm is unconstitutional. The case, Houston Federation of Teachers vs. Houston Independent School District, concerned a commercial software company's proprietary appraisal system that was used to score teachers. Teachers could not correct their scores, independently reproduce their scores, or learn more than basic information about how the algorithm worked. "When a public agency adopts a policy of making high stakes employment decisions based on secret algorithms incompatible with minimum due process, the proper remedy is to overturn the policy," the court wrote. EPIC recently filed a complaint asking the FTC to stop the secret scoring of young tennis players. EPIC has pursued several cases on "Algorithmic Transparency," including one for rating travelers and another for assessing guilt or innocence. (Jun. 13, 2017)

EPIC Joins Call to Keep Surveillance Transparency PromiseEPIC and over 30 organizations urged the Director of National Intelligence Dan Coates to uphold a promise to provide a public estimate of how many Americans are caught up in NSA surveillance of foreign targets. The coalition, including EPIC, previously pushed for the estimate. Americans' communications are "incidentally" collected under section 702 of the Foreign Intelligence Surveillance Act, and the FBI searches this data without a warrant or judicial oversight. EPIC, in testimony before Congress and comments to the Privacy and Civil Liberties Oversight Board, has repeatedly called for greater oversight and transparency of surveillance authorities. (Jun. 13, 2017)

European Privacy Officials Push for Answers on Status of U.S. PrivacyThe Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a letter to the Commission, the Working Party outlined its expectations for this summer's annual review of the arrangement. The Group asked for "precise evidence" that bulk surveillance is "limited and proportionate." The Article 29 also seeks information about vacancies in key privacy oversight positions, including the Privacy and Civil Liberties Oversight Board and the Privacy Shield Ombudsperson, and any legal protections for "automated decision making." The European Parliament previously expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations urged the US and the EU to strengthen privacy protections following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in DPC v. Facebook, highlighting weaknesses in US privacy law. (Jun. 13, 2017)

EPIC Launches Campaign to End FCC Data Retention MandateEPIC launched the "My Calls, My Data" campaign today, urging the public to support a proposal to end the FCC's data retention mandate. The 1986 regulation requires telephone companies to keep the telephone numbers dialed, date, time, and call length of all U.S. telephone customers for an 18-month period. An EPIC-led coalition filed a petition in 2015 calling for repeal of the rule, saying that the FCC's mandate "violates the fundamental right to privacy, exposes consumers to data breaches, stifles innovation, and reduces competition." The FCC is now seeking comments. "There is hardly a better regulation to end than the FCC's data retention mandate," said EPIC President Marc Rotenberg. "It is ineffective, burdensome, and costly." Comments may be filed online and are due by June 16, 2017. (Jun. 13, 2017)

EPIC to Congress: Ask ICE About FOIA ComplianceEPIC has sent a statement to the House Appropriations Committee in advance of a budget hearing for Immigrations and Customs Enforcement and Customs and Border Patrol. EPIC urged the Committee to ask whether ICE is complying with FOIA "when it receives requests for immigration data." EPIC and a coalition recently sent a letter to DHS Secretary Kelly calling on ICE to "fully disclose information on immigration enforcement cooperation between federal and non-federal law enforcement agencies." EPIC also said the Committee should ensure that CBP, which is now deploying drones, will comply with state laws and a 2015 Presidential Memorandum that limit drone surveillance. (Jun. 12, 2017)

EPIC Tells House Committee to Ensure Telemarketing Rules Protect ConsumersEPIC has sent a statement to the House Judiciary Committee in advance of the hearing on "Lawsuit Abuse and the Telephone Consumer Protection Act." The telemarketing law bars telemarketers and robocallers from contacting consumers by phone fax, or text without prior consent. EPIC acknowledged that class action settlements often fail to provide direct financial benefits to consumers, but explained that "TCPA cases are among the most effective privacy class actions because they typically require companies to change their business practices to comply with the law." Last year, EPIC filed an amicus brief in support of TCPA protections for consumers. EPIC has also testified before Congress about the telemarketing law and submittedmanycomments concerning its implementation. (Jun. 12, 2017)

Senator Feinstein Proposes Reforms to Broad Spying AuthoritySenator Dianne Feinstein, the former chair of the Senate Intelligence Committee, today outlined reforms to Section 702 surveillance authority. The law, which allows the NSA "PRISM" and "Upstream" surveillance programs, is set to expire at the end of this year. Senator Feinstein would end permanently the NSA's "about" searches, expand the amicus role at the intelligence court, and require the continued sunsetting of FISA authorities created in the The FISA Amendments Act of 2008. In 2012, EPIC testified before Congress on the need to establish better oversight for Section 702 prior to renewal. (Jun. 9, 2017)

EPIC In Court: Irish Court Reviews U.S. Surveillance DevelopmentsThe Irish High Court has reviewed recent decisions by the U.S. surveillance court and a federal appeals court for a case on the legality of Facebook's transfers of personal data from the EU to the United States. EPIC explained that the modifications to the NSA's "Upstream" program were significant, but emphasized that the scathing rebuke of the NSA's prior violations and "institutional lack of candor" show that there are not adequate limitations in the US on mass surveillance. And Congress has been unwilling so far to modify the Section 702 collection authority. EPIC is represented by FLAC (Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all. (Jun. 9, 2017)

EPIC to Congress: Data Protection Needed for Financial TechnologiesEPIC submitted a statement to a House Committee hearing on financial technologies on the risks with new financial services. Companies now use social media data and secret algorithms to make determinations about consumers. They are also reaching out, through the "Internet of Things," to control consumers. EPIC's recently filed a complaint with the CFPB about "starter interrupt devices," deployed by auto lenders to remotely disable cars when individuals are late on their payments. (Jun. 9, 2017)

EPIC Urges DHS To Abandon Privacy Act Exemptions for ICE DatabaseIn comments to the Department of Homeland Security, EPIC urged the agency to withdrawproposed Privacy Act exemptions. The FALCON database contains detailed personal information on ICE and CBP employees, and individuals associated with ICE investigations including victims and witnesses. For this government database, DHS has proposed to exempt itself from several Privacy Act protections including ensuring that the records are accurate, timely, and complete. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases. The FBI recently postponed an "Insider Threat" database that also lacked adequate Privacy Act safeguards. (Jun. 8, 2017)

FCC Responds to EPIC's Petition, Seeks Public Comment on Data Retention MandateThe FCC is seeking comments on an EPIC's petition to revoke the FCC's rule requiring mandatory retention of phone records. Current FCC regulations require phone companies to retain sensitive information on all telephone customer calling activity for 18 months, including telephone numbers dialed, date, time, and call length. The petition, filed in August 2015, states that the FCC's mandate "violates the fundamental right to privacy, exposes consumers to data breaches, stifles innovation, and reduces competition. It is outdated and ineffective. It should end." The EPIC petition is supported by a broad coalition of civil liberties organizations, technical experts, and legal scholars. The FCC docket number is 17-130. Comments are due on June 16, 2017. (Jun. 7, 2017)

EPIC Obtains Reports on Runaway Army BlimpAs the result of a FOIA Request, EPIC has obtained nearly two hundredpages of reports about the Army surveillance blimp that broke free and crash landed in Pennsylvania. In 2015 the blimp roamed the East Coast before its crash and caused blackouts across the Pennsylvania countryside as it downed power lines. The documents obtained by EPIC include technical reports, a field investigation, and maintenance worksheets. The reports reveal the tail of the blimp failed, raising questions about the government's maintenance of the controversial and very expensive surveillance program. Through an earlier FOIA lawsuit, EPIC uncovered details about the plan to deploy the surveillance blimp over Washington, DC. The Runaway Blimp launched an Internet meme. (Jun. 7, 2017)

EPIC Urges Senate to Ask Comey About FBI Response to Russia AttackIn advance of the hearing with former FBI Director James Comey, EPIC has sent a statement to the Senate Intelligence Committee. EPIC urged theCommittee to ask Comey whether FBI Victim Notification procedures were followedin notifying the DNC and the RNC once the FBI becameaware of the Russian cyberattack on US political organizations.In Freedom of Information Act lawsuit EPIC v. FBI, EPIC has obtained the FBI notification procedures that would have applied to the Russian cyberattacks during the 2016 Presidential election. The documents obtained by EPIC establish that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community.” The obvious question at this point is whether the FBI followed the required procedures for Victim Notification once the Bureau became aware of this attack. (Jun. 7, 2017)

Leaked Document Details Russian Interference Efforts in 2016 ElectionA National Security Agency document leaked to The Intercept details Russian attempts to interfere in the 2016 Presidential Election via cyber attacks. The document concludes that the attacks were carried out by Russian military intelligence and involved spear-phishing emails and a cyber attack on a private manufacturer of devices that maintain and verify the voter rolls. EPIC Is currently litigating EPIC v. ODNI, EPIC v. FBI, and EPIC v. IRS, three of the leading open government cases concerning Russian interference with the 2016 Presidential election. (Jun. 6, 2017)

EPIC Urges Senate Committee To Reform Surveillance LawIn advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a Statement to the Senate Select Committee on Intelligence urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted several legal challenges to an NSA bulk surveillance program abroad. The bulk surveillance program for the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC testified before the House Judiciary Committee during the 2012 FISA reauthorization hearings, recommended improved public reporting, and warned pre-Snowden that the extent of mass surveillance was much greater than was known to the public. (Jun. 6, 2017)

Pew Survey Explores Internet of ThingsThe Pew Research Center has released a report surveying experts about the security implications of the Internet of Things. The survey found a broad consensus that growth in the IoT will bring with it an increased risk of real-world physical harm. "The essential problem is that it will be impractical for people to disconnect," said EPIC President Marc Rotenberg in the survey. "Cars and homes will become increasingly dependent on internet connectivity. The likely consequence will be more catastrophic events." The ACM recently released a Statement of IoT Privacy and Security, which lists principles for protecting privacy and security in IoT devices. EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes,"consumer products, and "always on" devices. (Jun. 6, 2017)

EPIC Awarded Nearly $100,000 in Internet Surveillance CaseA federal judge in Washington, DC has issued a final order granting EPIC substantial attorney's fees in a long-running case against the Department of Homeland Security. EPIC sued the DHS in 2012 for information about a secret program to monitor Internet traffic. The "Cyber Pilot" program applied originally to defense contractors, but an executive order dramatically expanded the program, raising concerns about violations of federal wiretap law. EPIC's lawsuit produced the release of several thousand pages on the program. EPIC sought attorneys fees for the successful litigation, which the DHS opposed. In November, Judge Gladys Kessler ruled that EPIC was entitled to attorney's fees because it "substantially prevailed in [the] litigation" and added "to the fund of information that citizens may use in making vital political choices." On Monday, Judge Kessler confirmed that decision and awarded EPIC nearly $100,000 in fees—the largest such award in EPIC's history. (Jun. 5, 2017)

Supreme Court to Hear Case on Privacy of Cell Phone Location DataThe U.S. Supreme Court has granted review in Carpenter v. United States, a case concerning the privacy of cell phone location data. At issue is data that can be used to track cell phone users and whether police are required to obtain warrants to conduct these searches. A lower court ruled that the Fourth Amendment does not require officers to get a warrant before they obtain location records from a cell phone provider. In State v. Earls, EPIC successfully argued that a warrant is required under the New Jersey constitution. EPIC will file an amicus in Carpenter supporting the application of the warrant standard to obtain location data. (Jun. 5, 2017)

The FOIA Project Provides 2017 FOIA ReportA new report from The FOIA Project tracks many of the Freedom of Information Act lawsuits filed by media organizations and journalists in 2017. According to TRAC, forty-five new FOIA lawsuits were filed by thirty-nine news organizations and reporters. The New York Times, with six FOIA suits, filed suit most frequently. In second place is EPIC, which has already filed four FOIA lawsuits in 2017, including a suite of lawsuits under the new EPIC Democracy and Cybersecurity Project focused on preserving democratic institutions. In EPIC v. ODNI EPIC seeks public release of the January 2017 report of the intelligence community on Russian hacking, and in EPIC v. IRS EPIC seeks release of President Trump's Tax records. In EPIC v. FBI, EPIC has already obtained the Bureau's procedures for notifying organizations that are the target of a cyber attack. EPIC has asked Congress to determine whether the FBI did enough to notify US political organizations about Russian cyber attacks during he 2016 Presidential election. (May. 31, 2017)

FBI Postpones Insider Threat DatabaseThe FBI has postponed a plan to establish an "insider threat database" of FBI employees that would have included vast amounts of personal data, such as medical diagnostics and biometric data, on FBI employees, family members, dependents, relatives, and other personal associations. EPIC submitted comments critical of the agency plan that would have also removed important Privacy Act safeguards. The Department of Justice suggested that the delay is temporary and that a similar database may still be established for Department of Justice components. EPIC has consistently warned against inaccurate, insecure, and overly intrusive government databases. (May. 31, 2017)

EPIC Continues Opposition to Social Media Searches of Visa ApplicantsIn comments to Customs and Border Protection, EPIC opposed a plan to obtain social media information from visa applicants. EPIC said the CBP proposal threatens First Amendment rights, risked abuse, and would disproportionately impact minority groups. EPIC has previously opposedproposals to collect social media information from individuals seeking to enter the United States. In a FOIA lawsuit against DHS, EPIC obtained documents which revealed that federal agencies gather social media comments to identify individuals critical of the government. EPIC is currently pursuing a FOIA request about a revised DHS plan to require disclosure of social media passwords before allowing entry into the country. (May. 31, 2017)

DC Circuit Rules in Second EPIC Airport Body Scanner CaseIn a cursory per curium opinion, the D.C. Circuit denied EPIC's petition for review of the TSA's final rule mandating body scanners in U.S. airports. EPIC argued in EPIC v. DHS II that the TSA had failed to justify body scanners as compared with less invasive, more effective screening techniques, such as magnometers combined with explosive trace detection. Public comments overwhelmingly favored EPIC's recommendations to the federal agency. EPIC also argued that the TSA's decision to end the opt-out was contrary to the DC Circuit's earlier opinion EPIC v. DHS I which held that passengers could opt-out of the invasive screening technique. As Judge Ginsburg explained in the earlier case, "Despite the precautions taken by the TSA, it is clear that by producing an image of the unclothed passenger, an AIT scanner intrudes upon his or her personal privacy in a way a magnetometer does not." Judge Ginsburg further said, "any passenger may opt-out of AIT screening in favor of a patdown, which allows him to decide which of the two options for detecting a concealed, nonmetallic weapon or explosive is least invasive." (May. 30, 2017)

Senator Warner asks FTC to Take Action on Toys that SpySenator Mark Warner has sent a letter to the Federal Trade Commission expressing his concern about connected toys that spy on children. "I worry that protections for children are not keeping pace with consumer and technology trends shaping the market for these products," Senator Warner said in the letter. Senator Warner asked FTC Acting Chairwoman Maureen Ohlhausen to respond to several questions, including whether the FTC has "taken any action with respect to 'My Friend Cayla' or other products manufactured by Genesis Toys." EPIC filed a complaint with the FTC in December, 2016, alleging that toys My Friend Cayla and i-Que Intelligent Robot violate federal privacy laws. The complaint spurred international efforts to ban the toys from the marketplace and a congressional investigation into the toy makers' data practices. (May. 23, 2017)

EPIC Tells Congress: Limit Use of Social Security NumbersEPIC has sent a statement to the House Ways & Means Committee and House Committee on Oversight and Government Reform in advance of a hearing on "Protecting Americans' Identities: Examining Efforts to Limit the Use of Social Security Numbers." EPIC warned about the danger of SSN-related identity theft. "Given the growing risk of identity theft coupled to the SSN and the ease of alternative systems, there is simply no excuse for the use of SSNs in either the public or private sector," said EPIC. EPIC has long urged Congress and state legislators to limit use of the SSN. (May. 22, 2017)

EPIC to House Committee: IRS Must Release Trump Tax RecordsIn advance of an IRS Oversight hearing, EPIC has sent a statement to the House Appropriations Committee regarding EPIC v. IRS, the case in which EPIC is seeking release of President Trump's tax records. According to EPIC, "There has never been a more compelling FOIA request presented to the IRS." In the request to the IRS, EPIC explained that the IRS Commissioner may release tax returns to "correct misstatements of fact" and to ensure the "integrity and fairness" of the tax system. EPIC is currently pursuing several high level FOIA cases, including EPIC v. FBI and EPIC v. ODNI, to determine the scope of Russian interference with the 2016 Presidential election. (May. 22, 2017)

FBI Opposes EPIC Preservation Order in FBI Russian Interference FOIA CaseThe FBI is opposing EPIC's emergency motion to preserve records in a Freedom of Information Act case for records of the Russian Interference with the 2016 Presidential Election. Following Donald Trump's abrupt firing of FBI Director James Comey, EPIC asked a federal court to issue a preservation order for records at issue in EPIC v. FBI and to impose sanctions if the order is violated. EPIC cited irregular circumstances surrounding the firing of the FBI Director, as well as concerns expressed by members of Congress and Senators regarding the possible destruction of FBI records. In the filing today, the FBI suggested that EPIC would have to provide actual evidence of destruction of records before a court could issue a preservation order to prevent destruction of records. (May. 19, 2017)

Court Strikes Down FAA Registration Requirement for Hobbyist DronesA federal appeals court has struck down the FAA's rule requiring hobbyists to register their drones. The D.C. Circuit ruled that a registration requirement violated the FAA Modernization Act which forbade regulations for "model aircraft," including unmanned drones "flown for hobby or recreational purposes." EPIC is currently challenging the FAA's failure to establish privacy rules for "small, commercial" drones. Congress required a "comprehensive plan" for drone deployment in the United States, and more than 100 experts and organizations petitioned the agency for privacy safeguards. EPIC v. FAA is full briefed and arguments before the D.C. Circuit are anticipated this fall. (May. 19, 2017)

EPIC Opposes State Department Plan to Collect Social Media Identifiers for Visa ApplicantsIn comments to the State Department, EPIC urged the agency to drop a plan to obtain the social media identifiers of individuals applying for visas to enter the U.S. EPIC argued that the proposal threatens important First Amendment rights, risked, abuse, and would disproportionately impact certain minority groups. EPIC has previously opposed DHS proposals to collect social media information and recently submitted a FOIA request following statements made by the Homeland Security Secretary, indicating DHS planned to ask individuals for social media passwords before allowing entry into the U.S. (May. 19, 2017)

Facebook Fined $122 Million for Misleading Europe on Privacy Risks of WhatsApp MergerThe EU has fined Facebook $122 million for misleading the European Commission during the investigation of the Facebook-WhatsApp Merger. Following Facebook's acquisition of WhatsApp, WhatsApp transferred users' personal data to Facebook and violated the company's privacypromises. Facebook had downplayed the risks of the merger, saying that WhatsApp users' personal data could not be linked with their Facebook accounts. "U.S. antitrust law has failed to keep up with the digital economy and the emergence of monopoly services," EPIC president Marc Rotenberg told the New York Times. "There is far too much 'lock in' with a dominant provider, and far too much consolidation of personal data." The head of BEUC, the European consumer association, said "It is very disappointing that the Commission decided not to revise its original decision on the Facebook merger with WhatsApp." EPIC recently urged the Senate Judiciary Committee to consider the role of consumer privacy and data protection in merger reviews and highlighted the FTC's failure to block the Facebook-WhatsApp merger. (May. 18, 2017)

EPIC FOIA: EPIC Seeks Memos of Trump Conversations with FBI DirectorEPIC has filed an urgent Freedom of Information Act request with the Federal Bureau of Investigation for former Director James Comey's memos concerning his communications with President Trump. On May 16th, 2017, the New York Times reported Mr. Comey documented "every phone call and meeting he had with the president." The memos tracked "what he perceived as the president's improper efforts to influence a continuing investigation," the Times said. EPIC has filed a formal FOIA request for the public release of all of Director Comey's memos, including a memo describing his meeting with President Trump concerning National Security Advisor Flynn's resignation. Leaders of the Senate Intelligence Committee and House Oversight Committee bothrequested the FBI to turn over the memos to Congress. EPIC also recently filed an emergency motion to preserve records in EPIC v. FBI, a FOIA lawsuit for records concerning the Russian Interference with the 2016 Presidential Election. (May. 17, 2017)

EPIC Asks FTC to Stop System for Secret Scoring of Young AthletesEPIC has filed a complaint with the Federal Trade Commission to stop the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating", a proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. "The UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens," according to EPIC. EPIC urged the FTC to “find that a secret, unprovable, proprietary algorithm to evaluate children is an unfair and deceptive trade practice.” In 2015, EPIC launched a campaign on "Algorithmic Transparency" and has pursued several cases, including one for rating travelers and another for assessing guilt or innocence, that draw attention to the social risks of secret algorithms. (May. 17, 2017)

EPIC v. FBI: Agency Cyber Hack Notification Procedures Fall ShortIn Freedom of Information Act lawsuit EPIC v. FBI, EPIC has obtained the FBI notification procedures that would have applied to the Russian cyberattacks during the 2016 Presidential election. The documents obtained by EPIC establish that the FBI Cyber Division is to "notify and disseminate meaningful information to victims and the CND [Computer Network Defense] community." The Cyber Division specifically notifies the "individual, organization, or corporation that is the owner or operator of the computer at the point of compromise or intrusion." The analysis to determine whether or not to notify the victim, as well as FBI procedures for approval or deferral of notification, the timing of notification, the method of notification, and more were all redacted by the agency. EPIC intends to challenge theses withholdings. The FBI's response raises questions about whether the agency fulfilled the obligation to properly notify the victims of the Russian cyberattacks.The Intelligence Community assessed that both major US political parties were attacked. The FBI also produced notificationprocedures for threats to life or serious bodily injury, and certain proceduresunder the Foreign Intelligence Surveillance Act. Next in the case, EPIC anticipates the release, on May 26, of FBI communications with political organizations and federal agencies concerning the Russian interference. (May. 15, 2017)

Court of Appeals Grants Rehearing in FTC v. AT&T MobilityThe Ninth Circuit Court of Appeals has granted rehearing of a decision that stripped the FTC of its authority over companies engaged in "common carrier" activities. The grant of rehearing vacates the court's earlier holding that the common carrier exemption to FTC authority is status-based, not activity-based. EPIC and a coalition of consumer advocates had filed a friend-of-the-court brief urging reconsideration of the court's decision, warning that the decision "could immunize from FTC oversight a vast swath of companies that engage in some degree in common carrier activity." EPIC previously filed an amicus brief in FTC v. Wyndham to defend the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." (May. 15, 2017)

EPIC Files Emergency Motion to Preserve Records in FBI Russian Interference FOIA CaseEPIC has filed an emergency motion today in EPIC v. FBI, a Freedom of Information Act case for records concerning the Russian Interference with the 2016 Presidential Election. In papers filed with a federal district court in Washington, DC, EPIC cited Donald Trump's abrupt firing of the FBI Director, and concerns expressed by Members of the House and Senate regarding the possible destruction of FBI records related to the investigation. EPIC asked the Court to issue a preservation order and to impose sanctions if the order is violated. Today, the FBI also released records to EPIC, including the agency's procedures for notifying the victims of cyberattacks. The case is EPIC v. FBI, No. 17-121, before Judge Royce C. Lamberth. [Press Release] (May. 12, 2017)

Executive Order on Cybersecurity Finally ReleasedA long delayed Executive Order on cybersecurity was released this week. The Order continues many of the cybersecurity policies of the Obama and Bush administrations. The Executive Order requires agency heads to use the NIST Framework to manage cybersecurity risk, and to provide a risk management report. The Order also requires Cabinet officials to devise a strategy for international cooperation in cybersecurity. However, the Order does not address Russia's cyber interference with the 2016 Presidential Election. EPIC, and a group of forty leading experts in law and technology, had urged the White House to strengthen privacy and data protection, and support strong encryption. The EPIC Cybersecurity and Democracy Project focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (May. 12, 2017)

EPIC: 'Not Possible' for FAA to Regulate Drone Hazards Without Privacy RulesEPIC has filed a reply brief in EPIC v. FAA, a lawsuit concerning the FAA's failure to establish privacy rules for small commercial drones. EPIC sued the FAA after the agency refused to issue drone privacy rules. Congress had required a "comprehensive plan" for drone deployment in the United States, and more than 100 experts and organizations petitioned the agency for privacy safeguards. In a brief filed last month, the FAA acknowledged "that cameras and other sensors attached to [drones] may pose a risk to privacy interests" but continued to deny the agency's responsibility to set privacy rules. EPIC wrote in reply, "It is not possible to address the hazards associated with drone operations without addressing privacy in the final rule for small commercial drone." EPIC also explained that the FAA "profoundly mischaracterizes the aviation technology at issue" by suggesting that cameras are simply add-ons. "Drone cameras are an integral component of drone operations," EPIC explained. "Without a camera, it would be almost impossible to operate a commercial drone." (May. 12, 2017)

D.C. Circuit: California Water Well Information Exempt from Public DisclosureThe D.C. Circuit Court of Appeals has ruled that information about a government project to manage water in the California is exempt from disclosure under the Freedom of Information Act. The Court found that Exemption 9, which covers "geological and geophysical information…concerning wells," permitted the Bureau of Reclamation to withhold information about well location and depth information. "Congress enacted FOIA to 'permit access to official information long shielded unnecessarily from public view,'" the Court said. However, the D.C. Circuit rejected the arguments of environmental group AquAlliance that the legislative history indicated the exemption only applied to oil and gas wells; the Court said it should "assume that Congress meant what it said, and said what it meant." EPIC frequently fights overbroad agency withholding of public records. In EPIC v. FBI, a FOIA lawsuit seeking release of FBI privacy assessments, a court sided with EPIC and agreed that the agency did not justify withholding records under a FOIA exemption for law enforcement procedures and techniques. (May. 11, 2017)

In Merger Reviews, EPIC Advocates for Privacy, Algorithmic TransparencyEPIC has sent a statement to the Senate Judiciary Committee ahead of a hearing on the new Antitrust Chief. EPIC urged the Committee to consider the role of consumer privacy and data protection in merger reviews. EPIC warned that "monopoly platforms" are reducing competition, stifling innovation, and undermining privacy. EPIC pointed to the FTC's failure to block the Google/DoubleClick merger which accelerated Google's dominance of Internet advertising and the WhatsApp/Facebook merger which paved the way for Facebook to access confidential WhatsApp user data. EPIC also suggested that "algorithmic transparency" would become increasingly important for merger analysis. EPIC is a leading consumer privacy advocate and regularly submits complaints urging investigations and changes to unfair business practices. (May. 9, 2017)

EPIC Joins Coalition to Urge FOIA Compliance On Congress-Agency CommunicationsEPIC joined a coalition of civil society organizations to urge the House Committee on Financial Services to rescind guidance declaring communications between the Department of Treasury and the Committee are exempt from public access. In the letter to Chairman Jeb Hensarling (R-TX), the coalition stated the move represented "a troubling precedent" that "improperly restrict[s] the ability of the public to use FOIA." Records in the possession of federal agencies are presumptively available to the public under the Freedom of Information Act. EPIC and a coalition also recently urged the Immigration and Customs Enforcement to comply with the FOIA and "fully disclose information on immigration enforcement cooperation between federal and non-federal law enforcement agencies." For more information about EPIC's latest open government work, visit: https://epic.org/open_gov/. (May. 9, 2017)

Former Attorney General Testifies about Russian Influence with Key Trump AdvisorIn a hearing before a Senate Judiciary Subcommittee, former Acting Attorney General Sally Yates said she warned the White House that General Michael Flynn "could be blackmailed by the Russians" who knew he had lied about his Russian contacts. Yates also said the DOJ came forward out of concern that both administration officials and the American people "had been misled." As a part of the Democracy and Cybersecurity Project, EPIC is pursuing a Freedom of Information Act request for records of DOJ's investigation of Russian interference, EPIC explained to the Senate committee that "the public has 'the right to know' the extent of Russian interference with democratic elections and the steps that are being taken to prevent future attacks." (May. 9, 2017)

On Cyber Policy, EPIC Urges Senate to Protect Consumers, Democratic InstitutionsIn advance of a hearing on "Cyber Threats Facing America: An Overview of the Cybersecurity Threat Landscape," EPIC has sent a statement to a Senate Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project that will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (May. 8, 2017)

Goldberg, Kasparov, Rivest and Wald to Receive EPIC 2017 AwardsEPIC has announced the recipients of the 2017 Champions of Freedom Awards. They are privacy attorney Carrie Goldberg, human rights advocate Garry Kasparov, and Judge Patricia Wald. Computer scientist Ron Rivest will receive the 2017 EPIC Lifetime Achievement Award. Event hosts include Danielle Citron, John Podesta, Marc Rotenberg, Bruce Schneier, and Manoush Zomorodi. The 2017 EPIC Awards dinner will be held at the National Press Club in Washington, DC on Monday, June 5, 2017. Tickets are available. (May. 7, 2017)

Intelligence Agency Provides Non-Responsive Response in EPIC Lawsuit for Russia ReportThe Director of National Intelligence has failed to provide a sufficient response in EPIC v. ODNI, concerning release of the report on the Russian interference in the 2016 Presidential election. The intelligence agency was required to release all “non-exempt portions" of the report to EPIC on May 3, 2017. However the agency withheld the entire document, refusing to provide even partial information that should have been released to EPIC under the Freedom of Information Act. As EPIC made clear in the complaint, “There is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks on democratic institutions.” EPIC will challenge the agency’s response as the litigation continues in federal district court in Washington, DC. EPIC v. ODNI is a part of the EPIC Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (May. 3, 2017)

EPIC v. ODNI: EPIC Anticipates Release of Report on Russian HackingIn a Freedom of Information Act lawsuit EPIC v. ODNI, EPIC anticipates the May 3 release of the Complete Assessment of the Russian interference in the 2016 presidential election. In January 2017, the Director of National Intelligence released a limited, declassified version report about the "multi-pronged attack" on democratic institutions. EPIC filed a FOIA suit for public release of the Complete Assessment of Russian interference. As EPIC explained in an op-ed in The Hill and statements to Congress, the "public has a right to know the details when a foreign government attempts to influence the outcome of a U.S. presidential election." In accordance with the briefing schedule in the case, the ODNI must release all non-exempt portions of the Complete Assessment on May 3, 2017 to EPIC. EPIC is also pursuing two related FOIA cases as part of the Democracy and Cybersecurity Project. In EPIC v. FBI, EPIC is seeking records concerning the FBI's investigation of Russian interference. In EPIC v. IRS, EPIC is seeking release of President Trump’s Tax records. (May. 2, 2017)

EPIC Renews Call for Connected Cars SafeguardsIn comments to the FTC and NHTSA ahead of a June workshop, EPIC underscored the need to safeguard consumers and improve vehicle security. EPIC also defended the role of states that are developing new safeguards for connected vehicles. For more than a decade, EPIC has been a leading advocate for privacy and security measure for connected vehicles. EPIC routinely submitscomments to federal agencies regarding the unique challenges that these vehicles present. EPIC has also testified before Congress, filed amicus briefs, and submitted statements on the risks of autonomous vehicles. (May. 2, 2017)

EPIC Urges Senate Committee to Investigate FBI's Massive Biometric DatabaseEPIC has sent a statement to the Senate Judiciary Committee for an upcoming FBI oversight hearing. EPIC urged the Committee to investigate the FBI's Next Generation Identification system, a massive biometric database. EPIC has sought to ensure that the FBI database complies fully with the federal Privacy Act which the Bureau has opposed. EPIC explained to the Senate Committee that an individual's ability to control disclosure of identity "is an essential aspect of personal security and privacy." In a leading FOIA lawsuit, EPIC v. FBI, EPIC also uncovered documents which revealed high error rates in the biometric system. EPIC has filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense. (May. 1, 2017)

European Data Protection Supervisor Backs "E-Privacy" Directive UpdatesEuropean Data Protection Supervisor Giovanni Buttarelli, one of Europe's top privacy officials, published an opinion backing a key update to EU privacy law. The updated e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The EDPS welcomed the "ambitious attempt to provide for the comprehensive protection of electronic communications." However, the EDPS opinion also emphasized the need to strengthen privacy protections, raising concern about the proposal's complexity and failure to cover data processing beyond communications services providers. The EDPS's statement follows a supportive opinion from the Article 29 Working Party, an expert group of European privacy officials. EPIC recently hosted Mr. Buttarelli in Washington, DC to speak before the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy issues between civil society organizations and policy leaders. (May. 1, 2017)

Following EPIC’s appeal of a decision to “neither confirm nor deny” the existence of a FISA application to monitor Trump Tower, the Justice Department took the unusual step of submitting the matter for declassification review. After the President tweeted allegations that President Obama “had [his] wires tapped in Trump Tower,” EPIC filed an urgent FOIA request for any FISA applications concerning Trump Tower. The Justice denied the request, but on appeal stated it was referring this matter “so that it may determine if the existence or nonexistence of any responsive records should remain classified.” The Justice Departement issued a similar response to EPIC’s related request concerning alleged surveillance of the Trump team. EPIC had explained in the appeal that “the agency may not hide behind the ‘neither confirm nor deny’ response” after FBI Director James Comey stated before Congress that the FBI and the Justice Department had “no information” to support the President’s tweets.

(Apr. 28, 2017)

In EPIC Lawsuit, FAA Concedes Drone Privacy RisksThe Federal Aviation Administration has filed a brief in response to EPIC's lawsuit, EPIC v. FAA, concerning the FAA's failure to establish privacy rules for commercial drones. EPIC sued the FAA after Congress required a "comprehensive plan" for drone deployment in the United States and the FAA denied EPIC's petition calling for privacy safeguards. In the opposition brief, the FAA acknowledged "that cameras and other sensors attached to [drones] may pose a risk to privacy interests." The FAA claims that the agency is not ignoring drone privacy risks, but documents from a previous Freedom of Information Act request by EPIC showed the agency also failed to complete a drone privacy report required by Congress. (Apr. 28, 2017)

Appeals Court Rules in Video App Privacy CaseA Federal Court of Appeals has ruled in Perry v. CNN, a case concerning the disclosure of video viewing records. EPIC filed an amicus brief and explained that the Video Privacy Protection Act applies to all companies that collect video records, including app companies. The Appeals Court held that the plaintiff, a mobile app user, wasn't a "subscriber" under the video privacy law, following an earlier similar decision by the same court. However, the appeals court made clear that federal privacy laws, such as the Video Privacy Protection Act, provide a sufficient basis for a lawsuit without the need to show additional harm. (Apr. 27, 2017)

German Court Blocks Facebook's Efforts to Obtain WhatsApp User DataA German court has upheld an order requiring Facebook to suspend the import of users' personal data from WhatsApp. Following Facebook's acquisition of WhatsApp, WhatsAppannounced that it would transfer users' personal data to Facebook, violating the company's privacypromises. A Data Protection Commissioner in Germany ordered Facebook to halt the data transfer. This week a German court refused Facebook's attempt to block the order, ruling that Facebook had no legal basis for the transfer and no effective consent from WhatsApp users. The transfer is also under investigation by the Article 29 Working party, a group of European privacy officials. EPIC filed a complaint with the FTC in 2014, backed by over a dozen US consumer groups, urging the US agency to block the acquisition of WhatsApp if privacy safeguards were not established. As EPIC explained, "WhatsApp built a user base based on its commitment not to collect user data for advertising revenue. Acting in reliance on WhatsApp representations, Internet users provided detailed personal information to the company including private text to close friends." (Apr. 27, 2017)

EPIC to Congress: Examine TSA SecrecyEPIC has sent a statement to the House Committee on Homeland Security for an oversight hearing on the Transportation Security Administration. EPIC has objected to the TSA's refusal to release information the agency designated as "sensitive security information" that is pertinent to EPIC's ongoing case against TSA regarding airport body scanners. EPIC said that the TSA is "seeking to hide its decision making behind this cloak of secrecy." Congress also criticized the TSA's use of the SSI designation in an extensive report on "Pseudo Classification." In the statement for the Committee, EPIC also objected to the eye scanning of US travelers at US airports. (Apr. 26, 2017)

EPIC: Enhanced Surveillance at Border Will Sweep Up U.S. CitizensA statement from EPIC to the House Oversight Committee for a hearing on border security warns that enhanced surveillance will impact citizens' rights. "The use of drones in border security will place U.S. citizens living on the border under ceaseless surveillance by the government." said EPIC. EPIC noted that Customs and Border Protection is already deploying drones with facial recognition technology on U.S. communities. In 2013, EPIC obtained records under the Freedom of Information Act which revealed that CBP drones could also intercept electronic communications in the United States. State laws in some border states prohibit warrantless aerial surveillance but the United States has failed to enact laws to limit drone surveillance. EPIC has sued the FAA for the agency's failure to create drone privacy safegruards as required by Congress. (Apr. 26, 2017)

EPIC, Coalition Urge FCC to Act on Petition to End Call Data RetentionEPIC and a coalition of leading civil society organizations have sent a letter to the Federal Communications Commission urging the Commission to act immediately upon a petition submitted by an EPIC-led coalition almost two years ago. The petition called for an end to the FCC rule requiring the mass retention of phone records. The privacy organizations said that the FCC regulation was "unduly burdensome and ineffectual and posed an ongoing threat to the privacy and security of American consumers." The FCC requires phone companies to retain sensitive information on all telephone customer calling activity for 18 months, including telephone numbers dialed, date, time, and length. The coalition letter states that "the time has come to give the public the opportunity to comment on whether the data retention mandate should continue." (Apr. 23, 2017)

EPIC, Privacy Coalition Meet with EU Data Protection SupervisorEuropean Data Protection Supervisor Giovanni Buttarelli spoke today to the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy between civil society organizations and policy leaders. Mr. Buttarelli addressed relations between the European Union and the United States, and discussed encryption policy, the E-Privacy Regulation, the Privacy Shield, the U.S. Privacy Act as it applies to foreigners among many other topics. Recent speakers at the Privacy Coalition have included FTC Chair Maureen Ohlhausen and FCC Senior Counsel Nick Degani. (Apr. 21, 2017)

The Administrative Office of the U.S. Courts has issued the 2016 report on activities of the Foreign Intelligence Surveillance Court. The 2016 FISA report reveals that there were 1,752 FISA applications in 2016, of which 1,378 were granted, 339 were modified, 26 were denied in part, and 9 were denied in full. Scrutiny of FISA applications increased substantially in 2016. The FISA court denied more applications in 2016 than it had during the previous 36 years. In testimony before Congress in 2012, EPIC urged increased public reporting of the use of FISA authority to prevent abuse. Several of EPIC’s recommendations are reflected in the revised reporting requirements, following passage of the USA FREEDOM Act in June 2015.

(Apr. 21, 2017)

Government Argues for PRISM Reauthorization in New ReportThe Office of the Director of National Intelligence has released a report on the controversial Section 702 "PRISM" program, which is set to expire on December 31, 2017. The report argues for renewal, but significant questions remain about the PRISM program. Despite repeated requests from Congress, the ODNI has refused to reveal the number of U.S. persons who are swept up in PRISM surveillance every year. EPIC sent a letter to the House Judiciary Committee urging public reporting of the Government's surveillance activities. EPIC also warned that the Section 702 legal controversy could block international data transfers. (Apr. 20, 2017)

EPIC, Coalition Urge DHS Secretary to Reject Social Media Password RequirementEPIC has joined the Fly Don't Spy! campaign to urge DHS Secretary Kelly to reject plans to require to hand over passwords to the federal government. Such a requirement would undermine privacy and human rights, chill freedom of speech and association, and create greater security risks for travelers. Earlier this year, Secretary Kelly testified before Congress about collecting social media passwords. In response, EPIC immediately filed a Freedom of Information Act request regarding all DHS plans to use individuals' internet and social media information to vet potential entrants to the U.S. (Apr. 18, 2017)

EPIC Sues IRS for Release of Trump's Tax RecordsToday EPIC filed a FOIA lawsuit against the IRS after the agency failed to release Donald J. Trump’s tax records. According to EPIC, "There has never been a more compelling FOIA request presented to the IRS.” In the request to the IRS, EPIC explained that the IRS Commissioner may release tax returns to "correct misstatements of fact" and to ensure the “integrity and fairness" of the tax system. EPIC cited an earlier statement of Senator Charles Grassley (R-IA), a member of the Joint Committee on Taxation, in support of the release. The case is captioned EPIC v. IRS, 17-670 (D.D.C. filed Apr. 15, 2017). For more information, see the Press Release about EPIC v. IRS. EPIC is currently pursuing several high level FOIA cases, including EPIC v. FBI and EPIC v. ODNI, to determine the scope of Russian interference with the 2016 Presidential election. (Apr. 15, 2017)

European Privacy Officials Back "E-Privacy" Directive UpdatesThe Article 29 Working Party, an expert group of European privacy officials, has issued an opinion supporting a key proposal to modernize EU privacy law for electronic communications. The updated e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Working Party welcomed the harmonization of privacy standards across the European Union, but cautioned that the Privacy Directive must offer protections at least as strong as the recently adopted General Data Protection Regulation. EPIC had urged the US Federal Communication Commission to adopt a similar, comprehensive approach to communications privacy. A narrow FCC rule covering only ISPs was recently rescinded by Congress, folding under attacks that it unreasonably singled out a sector of the communications industry. (Apr. 12, 2017)

Court Rules That Texas Voter ID Law Intentionally DiscriminatesA federal district court has ruled that a Texas voter ID law violates the Voting Rights Act because the state legislature intended the law to be discriminatory. The ruling effectively halts enforcement of the law, which poses a significant threat to voter privacy and could discourage legal voters. Last summer, the Fifth Circuit Court Appeals held that the Texas law had a "discriminatory effect" on minorities' voting rights and sent the case back to the district court to reexamine whether the law was passed with “discriminatory purpose.” EPIC filed an amicus brief with the appeals court arguing that that the Texas law places an unconstitutional burden on voters' rights to informational privacy because of the excessive collection of personal data. Such bills "disenfranchise individuals who seek to protect their personal information from data breach, cybercrime, and commercial exploitation," EPIC wrote. The Supreme Court recently declined to review the Fifth Circuit’s ruling. (Apr. 12, 2017)

NY Court Backs Move to Destroy IDNYC ApplicationsA judge ruled this week that New York City may destroy the application materials of those who applied for an NYC identification card. The IDNYC program allows any New York City resident, regardless of immigration status, to obtain an identity document to access city services and to open a bank account. The IDNYC program was intended to assist vulnerable populations, including homeless, victims of domestic violence and undocumented immigrants. More than one million cards were issued and fewer than 2% of applications were denied. Under initial implementation, the application documentation was to be retained for two years, but critics of the program sought to obtain the personal information of applicants with the state FOI law. The judge rejected the claim. EPIC has long warned that the retention of identity document enrollment materials pose a significant privacy risk. (Apr. 11, 2017)

Privacy Poll - Users More Concerned about Google and Facebook than ISPsAccording to a POLITICO / Morning Consult poll, Americans trust Google and Facebook less than ISPs to protect personal data. Only 43% of respondents trusted broadband companies with personal information "a great deal" or "a fair amount." But trust in internet companies was much lower: 31% said they trust Facebook, 21% trust Twitter, 39% trust Google, and 35% trust other websites they visit regularly. The poll also shows public opposition to web tracking, with 70% respondents saying they were "somewhat uncomfortable" or "very uncomfortable" with companies tracking the web sites people visit and 77% being uncomfortable with companies selling people's data for advertising purposes. EPIC had urged the FCC to adopt a comprehensive approach to privacy protection and maintains an extensive page on Privacy and Public Opinion. (Apr. 11, 2017)

Senators Markey and Hatch Propose Student Privacy ActSenator Edward Markey (D-Mass) and Senator Orrin Hatch (R-Utah) have reintroduced the "Protecting Student Privacy Act." The Act would strengthen the Family Educational Rights and Privacy Act, a federal student privacy law. The Student Privacy Act would also implement several of the recommendations EPIC set out in the Student Privacy Bill of Rights, including data security safeguards, student access to personal information held by companies, prohibiting the use of personal data for marketing purposes, and minimizing the personal information schools transfer to third parties. (Apr. 7, 2017)

Senate Confirms Neil Gorsuch to U.S. Supreme CourtThe Senate has confirmedNeil Gorsuch as the next Associate Justice of the U.S. Supreme Court. The final vote was 54 yeas to 45 nays. During Justice Gorsuch’s confirmation hearing, EPIC urged the Senate Judiciary Committee to scrutinize Gorsuch’s positions on a wide range of privacy, First Amendment, open government, and consumer protection issues. Gorsuch’s views on these subjects could have "far-reaching implications" for “the future of privacy in the digital era," EPIC wrote. Committee members ultimately questioned Gorsuch extensively on the constitutional right to privacy, the application of the Fourth Amendment to new technologies, and the right to anonymous speech. EPIC regularly shares its views with the Senate concerning nominees to the Supreme Court, including Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts. (Apr. 7, 2017)

EPIC Appeals Passenger Profiling Case to DC CircuitEPIC has appealed the ruling in EPIC v. CBP, case involving a controversial passenger screening program that combines detailed personal information with secret algorithms to assign "risk assessments" to travelers—including US citizens. EPIC sued the agency for information about the "Analytic Framework for Intelligence" under the Freedom of Information Act. As a consequence of the EPIC FOIA lawsuit, EPIC obtained important documents and prevailed in an earlier phase of the case. However, the federal court in Washington, DC declined last month to order the release of certain additional materials. EPIC is now asking the DC Circuit Court of Appeals to overrule the lower court's decision and compel the release of documents sought by EPIC. (Apr. 7, 2017)

EPIC Obtains Documents About FBI Drone ProgramAs a result of a Freedom of Information Act request, EPIC has obtained the FBI's first annual summary report on drone operations. The annual reports are required by an Obama Presidential Memorandum regarding the domestic use of drones by federal agencies. EPIC also obtained related documents about FBI drone operations that were heavily redacted. Additionally, EPIC requested the FBI's drone policies and procedures related to privacy, civil liberties, and civil rights. The FBI has not yet released these documents to EPIC. EPIC will appeal the FBI's failure to release these documents and will also challenge the redactions in the documents that were released. (Apr. 6, 2017)

European Parliament Expresses Alarm Over Rollback of US Privacy SafeguardsIn a resolution passed today, the European Parliament expressed alarm over the rollback of U.S. privacy safeguards necessary for Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. The Parliament cited several recent developments including procedures that allow the NSA to disseminate raw data across the US government, vacancies at the Federal Trade Commission and the Privacy and Civil Liberties Oversight Board, the repeal of an FCC privacy rule, and the absence of effective redress for violations of Privacy Shield. The resolution of Parliament called on the European Commission to rigorously analyze these matters and to "take all necessary measures" to ensure the agreement respects EU privacy rights. In 2015, EPIC a coalition of privacy organizations had urged the US and the EU to strengthen privacy protections, following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US. (Apr. 6, 2017)

EPIC Recommends Scrutiny of DEA Surveillance ProgramsIn a letter to the House Judiciary Committee for an oversight hearing, EPIC highlighted civil liberties problems with DEA programs. In 2014, EPIC sued the DEA for information about the agency's Hemisphere program, a massive telephone record database. More recently, EPIC prevailed in a FOIA lawsuit that revealed the DEA's failure to conduct privacy assessments required by law, for the agency's license plate scanning program. In the letter EPIC urged the Committee to investigate the Hemisphere program and determine whether the agency will complete privacy impact statements for agency programs as required by law. (Apr. 4, 2017)

Trump Repeals Broadband Privacy SafeguardsDonald Trump signed a congressional resolution rescinding the FCC's broadband privacy rules. The rules required internet service providers to obtain consumers' consent before accessing sensitive information and to notify consumers of data breaches. The resolution nullifies the FCC's rules and blocks the FCC from enacting similar rules in the future. EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy, and also explained to Congress that the FTC does not effectively safeguard consumer privacy. EPIC also has a petition pending before the FCC to end the mandatory retention of private customer telephone records. (Apr. 4, 2017)

D.C. Circuit Hears Arguments in Data Breach CaseA federal appeals court in Washington, D.C. heard arguments today in a major data breach suit. The faulty security practices of Carefirst, a health insurer, allowed hackers to obtain the personal information of more than 1,100,000 customers. But a lower court dismissed the case because the judge believed that consumers must suffer actual identity theft before before filing a lawsuit. EPIC's amicus brief explained that the judge misunderstood the law and confused the harm consumers eventually suffer with the failure of companies to uphold obligations to safeguard the data they choose to collect. The appellate judges today voiced similar doubts about the lower court's decision, suggesting that consumers don't have to wait until their identity is stolen to bring a lawsuit. One judge compared the case to a person putting down her driver's license to rent a Segway, only to have it stolen from the rental company. EPIC regularly files briefs defending the privacy rights of consumers. (Mar. 31, 2017)

EPIC To Senate Intelligence - "Public Has Right to Know About Russia Ties"EPIC has sent a letter to the Senate Intelligence Committee for a hearing on "Disinformation: A Primer in Russian Active Measures and Influence Campaigns." EPIC described its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions. EPIC is also pursuing the release of any FISA orders for Trump Tower, as well as Donald Trump's tax returns. EPIC wrote the "need to understand Russian efforts to influence democratic elections cannot be overstated." EPIC President Marc Rotenberg summarized EPIC's FOIA efforts in an op-ed in The Hill earlier this week. (Mar. 29, 2017)

EPIC Pursues Release of President Trump's Tax ReturnsEPIC has renewed its Freedom of Information Act request for Donald Trump's tax returns after FBI Director Comey confirmed an FBI investigation into financial ties between the Trump campaign and the Russian government. The Senate Intelligence Committee is also investigating Russian interference in the 2016 presidential election and the role of Trump advisors. Former National Security Advisor Mike Flynn resigned after evidence emerged that he received more than $30,000 to celebrate the Russian propaganda outlet RT. As EPIC stated, "At no time in American history has a stronger claim been presented to the IRS for the public release of tax records." EPIC explained that the IRS has the authority to release tax records to correct "misstatements of fact." EPIC cited contradictory statements made by the President, advisers, and family members, including Jared Kusher, who stated "Russians make up a pretty disproportionate cross-section of a lot of our assets. We see a lot of money pouring in from Russia." The President later tweeted that he "has ZERO investments in Russia" and that he has "NOTHING TO DO WITH RUSSIA-NO DEALS, NO LOANS, NO NOTHING." (Mar. 29, 2017)

EPIC FOIAs Docs for Key Witnesses at Cancelled Oversight HearingEPIC has submitted a series of urgent Freedom of Information Actrequests for records concerning three witnesses who were scheduled to testify at an oversight hearing next week — Former Director of National Intelligence James Clapper, former Central Intelligence Agency Director John Brennan, and former Deputy Attorney General Sally Yates. Chairman Devon Nunes (R-CA), abruptly cancelled the hearing on the Russian interference in the 2016 Presidential Election, a move Ranking Member Adam Schiff (D-CA) called "an attempt to choke off public info." In today's FOIA requests, EPIC seeks to make public the information known to the witnesses about the Russian interference that would have presented to Committee members. EPIC is also pursuing related FOIA lawsuits against the FBI and ODNI. For more information about EPIC's latest open government work, visit: https://epic.org/open_gov/. (Mar. 24, 2017)

Court Rules in EPIC's Passenger Profiling Lawsuit Against DHSA federal court in Washington, DC has issued a ruling in EPIC v. DHS, case involving a controversial passenger screening program operated by Customs and Border Protection. Under the program, CBP combines detailed personal information with secret algorithms to assign "risk assessments" to travelers—including US citizens. EPIC sued the DHS for information about the "Analytic Framework for Intelligence" program, and argued that the agency unlawfully withheld records under the Freedom of Information Act. As a consequence of the EPIC FOIA lawsuit, EPIC obtained important documents and prevailed in an earlier phase of the case. However, the Court declined to order the further release of certain training materials for the profiling system EPIC sought. EPIC is currently deciding whether to pursue further a legal challenge to the agency's withholding. (Mar. 24, 2017)

Senate Dismantles FCC Broadband Privacy RulesToday the Senate voted to roll back the FCC's broadband privacy rules which require internet service providers to obtain consumers' consent for accessing sensitive information and required consumers to be notified of any data breaches. Senator Edward Markey (D-MA) blasted the vote stating that it is "Now easier for American's sensitive information about their health, finances and families to be used, shared, and sold to the highest bidder without their permission." EPIC had urged the FCC to establish comprehensive safeguards for consumer privacy. (Mar. 24, 2017)

EPIC Letter to House Oversight Committee Backs Open GovernmentA a letter from EPIC to the House Oversight Committee for a hearing on "Legislative Proposals for Fostering Transparency" highlighted the Freedom of Information Act. EPIC routinely pursues FOIA case on issues of public concern. Previously, EPIC uncovered evidence that airport body scanners are ineffective, that DHS monitors social media, and that the FBI's biometric database is filled with inaccuracies. EPIC is now seeking the Complete Assessment of Russian interference in the 2016 election as well information on "risk assessment" tools in the criminal justice system. In celebration of Sunshine Week, EPIC recently published the 2017 FOIA Gallery which showcases EPIC's work in 2016 to further government transparency. (Mar. 24, 2017)

EPIC Submits FOIA Request Seeking Documents on Airline Electronics BanEPIC has submitted a Freedom of Information Act request to the TSA seeking information on the recently announcedban on electronics on flights bound for the United States. The ban applies to ten airports in eight majority Muslim countries. EPIC is seeking documents related to the reasons for implementing the ban as well as documentation on TSA policies and procedures for searching electronics in checked luggage. EPIC regularly submits FOIA requests to government agencies and is also seeking information on eye scans conducted at US airports on US travelers. In EPIC v. DHS, EPIC is challenging the TSA's efforts to mandate airport body scanners. (Mar. 22, 2017)

EPIC, Coalition Focus on Immigration Orders, Data Practices, and Government AccountabilityIn a letter to DHS Secretary Kelly and Attorney General Sessions, EPIC and a coalition of 25 open government organizations expressed concerns about the lawfulness and objectivity of data practices under severalrecent immigration Executive Orders. Official memos reveal the Orders are being implemented in "manner that is unlawful and inconsistent with federal information quality guidelines, raising serious privacy, transparency, and accountability concerns." The coalition urged Secretary Kelly and the Attorney General to align data practices with privacy safeguards, open data, and data quality requirements. "Public data allows the public to hold its government accountable - but that is only possible if government information is released in a complete, consistent, unbiased, and open manner," the group stated. Earlier this year, EPIC also collaborated with other open government advocates to push for greater transparency in federal dispute resolution services and to preserve access to government information online. (Mar. 22, 2017)

Comey Confirms Russian Investigation, FBI Seeks Delay in EPIC FOIA CaseFollowing Director James Comey's confirmation of the FBI investigation into ties between Russia and Trump's presidential campaign, the FBI asked to delay EPIC's FOIA lawsuit against the agency. In EPIC v. FBI, EPIC seeks public release of records pertaining to the Russian interference with the 2016 Presidential election. Yesterday, in an open hearing before the House Select Intelligence Committee, Comey acknowledged for first time that the FBI is investigating possible coordination between the Trump campaign and Russia's interference in the election. Following the testimony, the FBI immediately asked the court for more time file a schedule for processing the FOIA request in EPIC's case against the FBI. EPIC is simultaneously pursuing a FOIA appeal with the DOJ, pressing the agency to reveal the existence of any applications to wiretap Trump Tower. EPIC has also filed suit against the ODNI for public release of the Complete ODNI Assessment of the Russian interference in the 2016 election, and a new EPIC project, the EPIC Cybersecurity and Democracy Project, will focus on US cyber policies. (Mar. 21, 2017)

EPIC Appeals DOJ Response to "Neither Confirm nor Deny" FISA Order on Trump TowerEPIC has appealed the DOJ’s decision to “neither confirm nor deny" the existence of a FISA application to monitor Trump Tower. Following tweets by the President alleging that President Obama "had [his] wires tapped in Trump Tower,” EPIC submitted an urgent FOIA request with the DOJ’s National Security Division for public release of any FISA applications for wiretapping Trump Tower. In response, the DOJ stated on Friday that "we can neither confirm nor deny the existence of records in these files responsive to your request." Yet, in today’s hearing before the House Select Committee on Intelligence, FBI Director James Comey stated that both the FBI and the DOJ had “no information to support those tweets.” EPIC has appealed the agency's response to the FOIA request, stating "Based on the FBI Director’s statement today... the agency may not hide behind the “neither confirm nor deny" response," and the "agency should immediately process EPIC’s FOIA Request." The heads of the Senate and House Intelligence committees have also publicly rejected the allegations, along with House Speaker Paul Ryan. EPIC will continue to press the DOJ for release of the information. (Mar. 20, 2017)

EPIC Urges House Intelligence Committee to Investigate Russian Interference With US ElectionEPIC has sent a letter to the House Intelligence Committee for a hearing on "Russian Active Measures Investigation," during which FBI Director James Comes will testify. EPIC described a FOIA request with the Department of Justice for the public release of any applications filed under "FISA" for wiretapping Trump Tower. This past Friday, DOJ responded to EPIC stating it can neither "confirm nor deny" the existence of a FISA application to monitor Trump Tower. EPIC also described its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions. EPIC explained that upcoming federal elections in Europe underscore the need to assess the threat to democratic elections. EPIC told the Committee the "need to understand Russian efforts to influence democratic elections cannot be overstated." (Mar. 20, 2017)

EPIC Urges Senate Committee to Explore Gorsuch's Views on PrivacyIn a letter to the Senate Judiciary Committee, EPIC has urged Senators to question Supreme Court nominee Neil Gorsuch on a wide range of privacy, First Amendment, open government, and consumer protection issues. Judge Gorsuch’s views on these subjects could have "far-reaching implications" for “the future of privacy in the digital era," EPIC wrote. The letter from EPIC emphasized that "[t]hese issues could not be more timely” given recent allegations by the President “that he was the target of government surveillance"—a claim that is the target of an EPIC freedom of information request. EPIC regularly shares its views with the Senate concerning nominees to the Supreme Court, including Justice Kagan, Justice Sotomayor, Justice Alito, and Chief Justice Roberts. The Senate hearing will be webcast on C-SPAN Monday at 11:00 am EDT. (Mar. 20, 2017)

EPIC FOIA: DOJ will neither "confirm nor deny" existence of FISA Application for Trump TowerIn a letter to EPIC, the Department of Justice’s National Security Division stated it will neither "confirm nor deny" the existence of a FISA application to monitor Trump Tower. After the President has charged that President Obama "had [his] wires tapped in Trump Tower,” EPIC filed an urgent FOIA request with the DOJ for the public release of any applications filed under "FISA" for wiretapping Trump Tower. In response to EPIC’s FOIA request, the DOJ has stated, "we can neither confirm nor deny the existence of records in these files responsive to your request." EPIC will challenge the agency's determination. The Senate Select Committee on Intelligence released a bipartisan statement rejecting the allegations, and House Speaker Paul Ryan stated on Thursday they have "seen no evidence" of wiretapping. EPIC also filed a related request for five categories of FISA applications related to the alleged surveillance of the Trump team. The DOJ provided the same response to EPIC to that request. (Mar. 18, 2017)

Sen. Markey and Rep. Welch Introduce Drone Privacy LegislationSenator Markey and Representative Welch today introduced the Drone Aircraft Privacy and Transparency Act of 2017. The Act would establish privacy safeguards to protect individuals from drone surveillance. The Drone Privacy Act requires publicly available data collection statements from operators and warrants for drone surveillance by law enforcement. "Drones flying overhead could collect very sensitive and personally identifiable information about millions of Americans, but right now, we don't have sufficient safeguards in place to protect our privacy," said Senator Markey. The Act includes privacy protections EPIC has proposed in statements to Congress and comments to federal agencies. In EPIC v. FAA, EPIC is challenging the failure of the FAA to protect the public from aerial surveillance. (Mar. 15, 2017)

EPIC Urges Senate Committee to Investigate Russian Interference with US ElectionEPIC has sent a letter to the Senate Judiciary Committee for a hearing on "The Modus Operandi and Toolbox of Russia and Other Autocracies for Undermining Democracies Throughout the World." EPIC described two of its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions, as well as a pending FOIA request regarding the "wiretapping of Trump Tower." EPIC explained that upcoming federal elections in Europe underscore the need to assess the threat to democratic elections. EPIC told the Committee the "need to understand Russian efforts to influence democratic elections cannot be overstated." (Mar. 15, 2017)

EPIC Publishes 2017 FOIA GalleryIn celebration of Sunshine Week, a national recognition of public access to information, EPIC has unveiled the 2017 FOIA Gallery. Since 2001, EPIC has released annual highlights of EPIC's most significant open government cases. In 2016, EPIC obtained records detailing a Customs and Border Protection data mining program used to build "risk" profiles on travelers, unveiled two years' worth of statistical data showing the FBI's growing biometric identification program, and revealed the DEA's failure to conduct legally mandated privacy assessments in EPIC v. DEA. In the latest FOIA Gallery, EPIC also highlights twonew FOIA lawsuits to uncover details of the Russian interference in the 2016 election case concerning electronic surveillance report, and the launch of EPIC's new course teaching the basics of the federal FOIA. (Mar. 10, 2017)

DOJ Report on FOIA Compliance: EPIC #2 in 2016 for Fee AwardsThe Justice Department's Office of Information Policy has released the 2016 Freedom of Information Act Litigation and Compliance Report. The report describes the DOJ's efforts in 2016 to ensure compliance with the open government law across the federal government, from issuing policy guidance to holding FOIA trainings. The agency also issued a list of FOIA cases where a court decision was rendered in 2016 and the amount of fees awarded by the court. EPIC tied for second (with the ACLU), behind the Public Employees for Environmental Responsibility, as the most successful FOIA litigator in the country, receiving court-ordered fee awards in three cases in 2016. In 2017, EPIC has already prevailed in a FOIA case against the FBI for public release of the agency's privacy assessments. Fees are anticipated in that case. For more information about EPIC's open government work, visit: https://epic.org/open_gov/. (Mar. 9, 2017)

EPIC Seeks Documents on Trump - Pai White House MeetingEPIC has filed an urgent FOIA request with the FCC for information on the recent meeting between FCC Chairman Ajit Pai and President Donald Trump. EPIC is seeking memos, briefing papers, emails, and talking points relating to the White House meeting that took place on March 6, 2017. EPIC said in the FOIA request that public disclosure of this is critical as President Trump has described the media, which is subject to FCC regulation, as the "enemy of the people." FCC Chair Pai also recently suspended parts of a broadband privacy order that protects Internet users from invasive tracking and profiling. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy. EPIC also has a long-standing petition before the FCC to end the mandatory retention of customer telephone records. (Mar. 9, 2017)

EPIC to Senate: Back FCC Broadband Privacy Rule, End FCC Bulk Data CollectionEPIC has sent a letter to the Senate Commerce Committee ahead of an FCC oversight hearing. EPIC urged the Committee to examine the FCC's role in online privacy. EPIC supports the FCC's broadband privacy rule. In fact, EPIC had urged the FCC to adopt a comprehensive privacy rule for all communications services, as suggested by FCC Chairman Pai. EPIC also brought to the Committee's attention an outdated FCC regulation that requires the bulk collection of telephone data of American consumers. In 2015, EPIC and many consumer privacy groups petitioned the FCC to repeal, but the Commission has yet to take any action. In the letter to the Senate, EPIC said the FCC should withdraw the anti-privacy, data retention regulation. (Mar. 7, 2017)

EPIC to Congress: Examine TSA SecrecyEPIC has sent a letter to the House Committee on Oversight for a hearing on the Transportation Security Administration. EPIC has objected to the TSA's refusal to release information designated as "sensitive security information" that is pertinent to EPIC's ongoing case against TSA regarding airport body scanners. EPIC said that "seeking to hide its decision making behind this cloak of secrecy." The House Committee has also criticized the agency's use of the SSI designation. EPIC also raised concerns about the eye scanning of US travelers at US airports as well as the TSA's statement that they will no longer accept drivers licenses from states that oppose "REAL ID". (Mar. 2, 2017)

EPIC Urges Senate Committee to Protect Consumers, Democratic Institutions With Strong Cyber PoliciesIn advance of a hearing on "Cyber Strategy and Policy," EPIC has sent a letter to the Senate Armed Services Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project that will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Mar. 2, 2017)

EPIC FOIA: EPIC Seeks Information about Airport Eye Scans of U.S. TravelersEPIC has filed an urgent FOIA request with U.S. Customs and Border Protection for details of eye scans conducted on U.S. citizens traveling internationally. The CBP has long been testing biometric identification of travelers, including U.S. citizens, and a recent report indicates U.S. citizens were subject to eye scans before traveling abroad. EPIC seeks public disclosure of the details of CBP policies for scanning U.S. citizen irises and retinas upon entry or exit to the U.S. EPIC makes frequent use of the Freedom of Information Act. As the result of a FOIA lawsuit, EPIC recently obtained several memorandum of understanding regarding the transfer of biometric identifiers between the FBI and DOD. Last month, EPIC also prevailed in EPIC v. FBI, a FOIA lawsuit public release of the FBI's privacy assessments. (Mar. 2, 2017)

EPIC Urges House Committee To Ensure Transparency, Public Reporting in Surveillance LawIn advance of a hearing on Section 702 of the Foreign Intelligence Surveillance Act, EPIC has sent a letter to the House Judiciary Committee urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted that Section 702 is the central focus of multiple current legal challenges to international data transfer agreements occurring abroad. Section 702, which authorizes the bulk surveillance on the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC testified before the Committee during the 2012 FISA reauthorization hearings. (Mar. 1, 2017)

EPIC in Court: Irish High Court Examines EU-US Data TransfersToday EPIC made submissions before the Irish High Court in Data Protection Commissioner v. Facebook, concerning privacy protections for transAtlantic data transfers. EPIC explained that "U.S. privacy law is characterized by particularly narrow conceptions of privacy and personal data, which in turn limit the scope of relevant constitutional, statutory, and regulatory privacy protections." EPIC also stated, "many of the privacy safeguards under U.S. law in fact operate to the exclusion of E.U. citizens" and that the "standing" doctrine is an overarching barrier to legal redress. EPIC is represented by FLAC (Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all. [Press Release] (Mar. 1, 2017)

EPIC Urges House Committee to Protect Consumers, Democratic Institutions with Strong Cyber Security MeasuresIn advance of a hearing on "Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities," EPIC has sent a letter to the House Armed Services Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Feb. 28, 2017)

EPIC Tells Senate Committee that Transparency is Critical for Next Director of National IntelligenceEPIC has sent a statement to the Senate Select Committee on Intelligence outlining the key government transparency and cybersecurity challenges the next Director of National Intelligence will confront. The Committee meets today to consider the nomination of Sen. Dan Coats for the position. EPIC commended former Director Clapper's progress on oversight and transparency and urged the Committee to seek assurance from Sen. Coats that his office will continue that work. EPIC also warned that over classification remains an issue that frustrates government accountability. EPIC informed the Committee that EPIC has filed suit against the ODNI for public release of the Complete Assessment of the Russian interference in the 2016 election. In the unclassified report, former Director Clapper said that the Russians conducted a "multi-faceted" attack on the 2016 election. (Feb. 28, 2017)

In Court: EPIC Challenges FAA Failure to Establish Drone Privacy RulesEPIC has filed the opening brief in a lawsuit against the Federal Aviation Administration concerning drone surveillance. EPIC charged that the FAA's failure to establish privacy rules for commercial drones is a violation of law. The EPIC lawsuit is based on an Act of Congress requiring a "comprehensive plan" for drone deployment in the United States and a petition, backed by more than one hundred organizations and privacy experts, calling for privacy safeguards. EPIC stated that “As the FAA has refused to issue any privacy-related rules and refused to conduct a comprehensive rulemaking, contrary to the FAA Modernization Act and to EPIC's Rulemaking Petition, the Court must now order the agency to do so.” The case is EPIC v. FAA, No. 16-1297. (Feb. 28, 2017)

Congressman Pallone Asks Government Accounting Office to Study Costs of Eliminating Privacy RulesCongressman Frank Pallone has asked the U.S. Government Accounting Office to study the harms of eliminating rules that protect consumer privacy. "With the near universal use of the internet, and the rapid expansion of connected devices, corporations now have more information about American consumers than ever before," Pallone wrote in his letter. "It is, therefore, more important than ever that Americans' privacy and security be protected online." Pallone asked the GAO to report on whether the "notice and choice" approach to privacy regulation works, what challenges consumers face in protecting their information, and how the FCC, FTC, and other agencies approach privacy regulation. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy. EPIC also explained in comments to the FTC and FCC and in testimony before Congress that "notice and choice" is insufficient to protect consumer privacy. (Feb. 27, 2017)

Yahoo Responds to Senators About Data BreachYahoo has responded to a letter from Senators John Thune (R-SD) and Jerry Moran (R-KS) inquiring into data breaches that exposed over a billion user records in 2013 and 2014. Yahoo said in its response that it has notified users affected by the breaches, required users who had not changed their passwords since 2014 to do so, and encouraged all users to review their passwords and security questions. Yahoo's letter also discussed the steps the company has taken to improve its security program. EPIC testified in support of strong data breach notification laws in 2009 and 2011, launched "Data Protection 2016" to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information. (Feb. 24, 2017)

EPIC, Coalition Back Improved Government TransparencyIn comments to Office of Government Information Services, EPIC and a coalition of open government groups urged greater transparency for dispute resolutions. The coalition wrote that a proposed rule "would impose restrictive confidentiality requirements." The coalition proposed revisions that "do not place restrictive confidentiality requirements on requesters" who use dispute resolution services. EPIC routinely advocates on behalf of open government and transparency. Earlier this month, EPIC and a coalition called on the Office of Management and Budget to preserve public access to online government information. EPIC also recently prevailed in EPIC v. FBI, a Freedom of Information Act lawsuit for public release of the FBI's privacy assessments. (Feb. 24, 2017)

Supreme Court to Consider Internet Censorship, EPIC Files Amicus BriefThe U.S. Supreme Court will hear arguments Monday in Packingham v. North Carolina. At issue is a state law that bars people listed in a sex offender registry from accessing any commercial website that allows users under 18 to create profiles and communicate online. The North Carolina ban covers major news sites such as the New York Times and CNN. Packingham was convicted for posting "Good is God" on Facebook after a traffic ticket was dismissed. EPIC filed a "friend-of-the-court" brief joined by thirty-five technical experts, legal scholars, and civil liberties organizations, EPIC explained that the law violates the First Amendment right to receive information, censors vast amounts of speech unrelated to protecting minors, and will lead to widespread government monitoring of all internet users. "The state can no more criminalize what an individual chooses to read on a personal electronic device than it can restrict the contents of a home library: the privacy of both is sacrosanct," EPIC wrote. EPIC regularly files amicus briefs with the US Supreme Court on emerging privacy and civil liberties issues. EPIC previously argued for First Amendment privacy protections in Doe v. Reed, Watchtower Bible v. Stratton, and Los Angeles v. Patel. (Feb. 24, 2017)

FBI Responds to EPIC FOIA Suit for Details of Russian Interference with 2016 ElectionThe FBI has filed an answer to EPIC's Freedom of Information Act lawsuit for records pertaining to the Russian interference with the 2016 Presidential election. In the answer, the FBI acknowledged receipt of EPIC's FOIA request. EPIC filed suit against the FBI in federal district court after the agency failed to make a timely decision concerning EPIC's request for expedited processing of the FOIA request. The parties will next confer to set a schedule for production of documents and briefing, if necessary. EPIC has also filed suit against the ODNI for public release of the Complete ODNI Assessment of the Russian interference in the 2016 election. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Feb. 23, 2017)

EPIC Prevails in FOIA Lawsuit for FBI Privacy AssessmentsEPIC has prevailed in EPIC v. FBI, a case involving a Freedom of Information Act request for privacy assessments the FBI is required to prepare. EPIC sued the Federal Bureau of Investigation after the agency failed to respond to EPIC's FOIA request for the assessments. EPIC subsequently challenged the adequacy of the agency's search for responsive documents and the FBI's claim that record could be withheld pursuant to "Exemption 7(E)," which concerns law enforcement "techniques and procedures." Today, the federal judge concluded that "the FBI neither adequately described its search nor properly justified its withholdings of information under FOIA exemption 7(E)." The Court ordered the FBI to supplement the record to address the inadequacy of the agency's search and the basis for the Exemption 7(E) claims. (Feb. 21, 2017)

Coalition Urges UN to Investigate US Social Media MonitoringA coalition of human rights groups is urging the UN to investigate reports that the US is demanding entrants provide access to their cell phones and social media accounts. "These practices persist in violation of the United States human rights treaty obligations and your action is needed to hold the government accountable," the group stated in a letter to the the UN High Commissioner on Human rights and other UN offices. EPIC recently submitted an urgent request for disclosure of DHS plans to step up social media monitoring, and previously prevailed in a lawsuit against the agency to reveal records of its monitoring programs. EPIC's Privacy Law Sourcebook 2016, available in the EPIC bookstore, provides an overview of privacy frameworks around the world and tracks emerging privacy challenges. (Feb. 16, 2017)

EPIC, Coalition Recommend 10 Steps for the FTC to Protect Consumers in 2017EPIC and a coalition of consumer groups sent a letter to the Federal Trade Commission recommending 10 steps the agency should take to protect consumers and promote competition in 2017. "American consumers today are at great risk of identity theft, financial fraud, and data breaches," the coalition wrote, arguing that "proactive efforts to strengthen data protection will spur innovation and support business models that are sustainable over time." The letter asks the FTC to increase its enforcement efforts, promote transparency, and pursue actions based on unfairness instead of relying on "notice and choice." EPIC has consistently urged the FTC to exercise its full authority in protecting consumers. EPIC has also filed numerous consumer privacy complaints with the FTC, including a recent complaint about "toys that spy." (Feb. 16, 2017)

EPIC, Coalition Urge OMB to Preserve Access to Public InformationEPIC and a coalition of over sixty organizations urged the Office of Management and Budget to preserve access to government information online. In a letter, the coalition called on OMB to ensure agencies give the public notice required by law before removing information. The coalition warned that agencies have begun removing information on topics "such as animal welfare, individuals with disabilities, climate change, and more from their websites." EPIC routinely advocates on behalf of open government and transparency. EPIC is currently pursuing two Freedom of Information Act lawsuits for records related to the Russian interference in the 2016 Presidential election. (Feb. 13, 2017)

EPIC Urges Congress to Protect Consumers, Democratic Institutions with Strong Cyber Security MeasuresIn advance of a hearing on "Strengthening U.S. Cybersecurity Capabilities," EPIC has sent a letter to the House Science Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. (Feb. 13, 2017)

Acting FTC Chair Outlines Consumer Protection PrioritiesIn a recent speech, Acting Federal Trade Commission Chairwoman Maureen Ohlhausen outlined her priorities for consumer protection. Ohlhausen recognized that "a notice-and-choice approach to privacy may not adequately protect consumers" but advocated a market-focused "harms-based approach" to privacy. She pointed to recent settlements with Ashley Madison and Eli Lilly as cases involving significant non-financial harm to consumers. Ohlhausen also proposed making the results of all FTC data security investigations public, not only those that result in enforcement actions. EPIC supports increased transparency in FTC actions but has explained in comments to the FTC and FCC and in testimony before Congress that "notice and choice" and "harms based" approaches are insufficient to protect consumer privacy. (Feb. 6, 2017)

EPIC FOIA: EPIC Seeks Information About Immigration Executive OrderEPIC has filed an urgent FOIA request with the Department for Homeland Security for further information about a DHS press release on "Compliance With Court Orders And The President's Executive Order." The DHS Press Release follows an Executive Order on entry to the United States and a series of court decisions suspending the Order. EPIC is now seeking details about the DHS's activities, including communications with other agencies, communications with airlines, and legal memos supporting the agency's actions. The Inspector General of DHS also announced an investigation to review "allegations of individual misconduct on the part of DHS personnel." EPIC cited both an "urgency to inform the public" and "exceptional media interest" in questions about the "government's integrity" in support of the request for expedited processing. EPIC will continue to press the DHS for prompt release of the documents sought. More information about EPIC's FOIA work is available on the FOIA Case page. (Feb. 3, 2017)

House to Consider Narrow Update for Communications Privacy LawCongress is scheduled to consider the "Email Privacy Act" (H.R. 387) next week. The bill passed the House 419-0 last session. The Act amends the Electronic Communications Privacy Act of 1986 to extend the warrant requirement to communications stored for more than 180 days. An earlier version of the the Act would have required notice of email searches to the user, with some exceptions. EPIC has recommended several other ECPA updates, including protections for location data, data minimization requirements, and end-to-end encryption for commercial e-mail services. (Feb. 3, 2017)

EPIC FOIA: EPIC Obtains Details of U.S. Government-Industry Meeting to Combat ISIL OnlineAs a result of a Freedom of Information Act request, EPIC obtained documents detailing a DOJ and White House meeting with top industry representatives to help combat ISIL's online influence. The February 2016 meeting, called the "Madison Valleywood Project,"convened a range of industry members to "collaborate in generating and amplifying compelling content that would undermine ISIL's online messaging and recruitment efforts." A series of slides set the stage for the project, proposing counter strategies like "disrupting their digital landscape" and encouraging use of data metrics to track success. EPIC routinely pursues FOIA requests and lawsuits to improve government oversight and accountability. In 2012, EPIC prevailed in a lawsuit against DHS revealing the agency's social media monitoring policies, including instructions to analysts to monitor criticism of the agency. More information about EPIC's FOIA work is available on the FOIA Case page. (Jan. 31, 2017)

Aspen Institute Report Explores Artificial IntelligenceThe Aspen institute released a report on the Artificial Intelligence workshop on connected cars, healthcare, and journalism. "Artificial Intelligence Comes of Age" explored issues at "the intersection of AI technologies, society, economy, ethics and regulation." The Aspen report notes that "malicious hacks are likely to be an ongoing risk of self-driving cars" and that "because self-driving cars will generate and store vast quantities of data about driving behavior, control over this data will become a major issue." The Aspen report discusses the tension between privacy and diagnostic benefits in healthcare AI and describes "some of the alarming possible uses of AI in news media." EPIC has promoted Algorithmic Transparency and has been at the forefront of vehicle privacy through testimony before Congress, amicus briefs, and comments to the NHTSA. (Jan. 30, 2017)

Federal Agencies Issue New Common Rule Regs, Delay Privacy SafeguardsThe Department of Health and Human Services, along with fifteen other federal agencies, released a final revision for the Common Rule which establishes privacy rights for personal information collected from human subjects in federally funded research. EPIC submitted extensive comments, urging the agencies to adopt strong privacy protections for personal data for the revised Common Rule. However, the federal agency deferred new safegaurds, as well as privacy guidance for internal review boards, claiming that current privacy laws were adequate. (Jan. 27, 2017)

EPIC Urges Federal Appeals Court to Safeguard Donor PrivacyEPIC has filed a "friend-of-the-court" brief in a donor privacycase before the Ninth Circuit Court of Appeals. Under California law, nonprofit organizations are required to send the state each year a list of donors and their donations. EPIC said this reporting requirement "infringes on several First Amendment interests, including the free exercise of religion, the freedom to express views without attribution, and the freedom to join in association with others without government monitoring." EPIC traced the history of anonymous giving in Christianity, Islam, and Judaism. EPIC also explained that California has "failed to implement basic data protection standards" for donor information. In amicus briefs for the U.S. Supreme Court, EPIC has argued for similar Constitutional privacy rights in Packingham v. North Carolina, Doe v. Reed, Watchtower Bible v. Stratton, and Patel v. Los Angeles. (Jan. 27, 2017)

Pew Survey Finds Majority of Americans Are Data Breach VictimsAccording to a new public opinionstudy from the Pew Research Center, 64% of Americans have personally experienced a major data breach, and 49% feel that their personal information is less secure than it was 5 years ago. Pew also found that 41% of Americans have dealt with fraudulent charges on their credit card, and 15% have received notice that their Social Security number had been compromised. Pew found that a substantial majority (70%) of Americans anticipate major cyberattacks in the next five years on our nation's public infrastructure. The EPIC Data Protection campaign highlights the need to improve privacy safeguards in the United States. (Jan. 26, 2017)

FTC Issues Report on Cross-Device TrackingThe Federal Trade Commission has issued Cross-Device Tracking: An FTC Staff Report, which describes online tracking technology used to link a consumer's activity across smartphones, laptops, tablets, and other internet-connected devices. The report follows from an FTC workshop on this emerging practice. EPIC filed comments with the Commission urging limits on cross-device tracking, which presents significant privacy challenges due to the "lack of transparency and control in this undetectable online tracking scheme." EPIC explained how "notice and choice" fails to protect consumers from this surreptitious activity. The FTC's report recommends continued industry-self regulation and application of the unworkable "notice and choice" approach to this new practice. (Jan. 26, 2017)

EPIC Sues for Release of Complete Report on Russian Interference with 2016 ElectionEPIC has filed a Freedom of Information Act lawsuit against the Office of the Director of National Intelligence in federal district court in Washington, DC. The case is designated EPIC v. ODNI, No. 17-163 (D.D.C. filed Jan. 25, 2017). As EPIC makes clear in the complaint, "there is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks in democratic institutions." More details in the press release. Last week EPIC sued the FBI to uncover details of the Bureau's response to Russian interference. (Jan. 26, 2017)

Trump Administration Limits Scope of Privacy ActLess than one week in office, the Trump Administration has published an Executive Order that limits the application of the federal Privacy Act. The Order states that "Agencies shall . . . ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act . . .” Few U.S. privacy laws distinguish between U.S. and non-U.S. citizens. The Privacy Act is an exception. Some efforts were made in the last few years to update the Privacy Act, a law adopted in 1974, as the federal government now collects detailed personal information on non-U.S. citizens. The reforms were also considered legally necessary to permit U.S. firms to obtain access to the data of European consumers. (Jan. 26, 2017)

Pompeo Confirmed as CIA Director, Privacy Concerns RemainThis week the U.S. Senate confirmed Rep. Mike Pompeo to be Director of the CIA by a vote of 66-32. EPIC sent a statement to the Senate Select Committee on Intelligence highlighting Pompeo's troubling statements on privacy and surveillance. In a January 2016 op-ed, Mr. Pompeo wrote that "Congress should pass a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database. Legal and bureaucratic impediments to surveillance should be removed." EPIC warned the Senate Committee that the CIA Director must not "turn the enormous surveillance powers of the agency against the American people." A recent Freedom of Information Act case pursued by an EPIC revealed that the CIA spied on staff members of the US Senate. (Jan. 25, 2017)

Supreme Court Won't Review Decision That Struck Down Texas Voter ID LawThe U.S. Supreme Court has declined to review a ruling by the Fifth Circuit Court of Appeals that a Texas voter ID law violates the Voting Right Act. The decision means that Texas won't be able to enforce the law, which poses a significant threat to voter privacy and could discourage legal voters. Last summer, the appeals court held that the Texas Law had a "discriminatory effect" on minorities' voting rights and remanded the case to the lower court. Texas petitioned the Supreme Court to review the decision, but the court refused to do so Monday. EPIC filed an amicus brief arguing that that the Texas law places an unconstitutional burden on voters' rights to informational privacy because of the excessive collection of personal data. Such bills "disenfranchise individuals who seek to protect their personal information from data breach, cybercrime, and commercial exploitation," EPIC told the court. (Jan. 24, 2017)

US Designates Countries Covered Under the Judicial Redress ActDuring the final week in office, the Obama Department of Justice released the list of European countries covered under the Judicial Redress Act. The Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU "Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended substantial changes to the Judicial Redress Act, explaining in a letter to Congress that the bill still did not provide adequate protection to permit transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement. (Jan. 23, 2017)

White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves OfficeAs one of the final acts of the outgoing President, the White House has released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." In 2008, President Obama announced "Change We Can Believe In" and said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the Freedom Act and Obama reformed intelligence practices, but the US failed to limit data collection outside the US. The "Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place even after NGOs urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of data breach, identity theft, and financial fraud in the United States skyrocketed, even as Americans called for stronger protections. The 2016 Presidential election was marked by data breaches, email disclosures and cyber attack The U.S. is still one of the few democratic nations in the world without a data protection agency. (Jan. 19, 2017)

NEWS UPDATE - EPIC Sues FBI for Details of Russian Interference with 2016 ElectionEPIC today filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation in federal district court in Washington, DC. The case is designated EPIC v. FBI, No. 17-127 (D.D.C. filed Jan. 18, 2017). The complaint states “EPIC challenges the FBI’s failure to make a timely decision concerning EPIC’s request for expedited processing of the FOIA request for records about the Russian interference with the 2016 Presidential Election.” A press conference will be held at the Fund for Constitutional Government on Capitol Hill on Thursday, January 19, 2017 at 1 pm. Media Advisory (Jan. 18, 2017)

NEWS ALERT - EPIC to Convene Capitol Hill Press ConferenceEPIC will host a press conference at the Fund for Constitutional Government, across the street from the U.S. Supreme Court, on Thursday, January 19, 2017, at 1 pm, concerning the Russian Interference with the 2016 Presidential Election. Details to follow. (Jan. 18, 2017)

EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy ShieldEPIC has sent a letter to the Senate Commerce Committee outlining the key privacy issues that the next Secretary of Commerce should address. The Committee convened this week to consider the nomination of Wilbur Ross for Commerce Secretary. EPIC stated that privacy protection may be on "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC urged the Committee to ensure the nominee "make clear his commitment to a comprehensive approach to data protection, based in law." EPIC warned about the inadequacy of the Privacy Shield, a non-legal framework that permits the flow of European consumers' personal data to the United States, outside of European privacy law. (Jan. 18, 2017)

EPIC Defends Right of Data Breach Victims to Seek Legal ReliefEPIC has filed a "friend-of-the-court" brief urging a federal appeals court to protect consumers' ability to sue companies that fail to safeguard personal information. A group of consumers sued health insurer Carefirst after the company's faulty security practices allowed hackers to obtain the personal information of 1,100,000 customers. A lower court wrongly dismissed the case because the judge believed that consumers must suffer identity theft before a court can consider violations of legal obligations. In the amicus brief, EPIC explained that the court misunderstood the relevant law, and confused the legal responsibility of companies to maintain good security with the harms that consumers eventually suffer. EPIC said courts should focus on whether companies have breached a legal obligation to safeguard personal data. EPIC regularly files briefs defending consumer privacy. (Jan. 18, 2017)

EPIC Urges Senate Committee to Examine CIA Nominee's Positions on SurveillanceEPIC has sent a statement to the Senate Select Committee on Intelligence highlighting CIA Director nominee Mike Pompeo's troubling positions on privacy and surveillance. In a January 2016 op-ed, Mr. Pompeo wrote that "Congress should pass a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database. Legal and bureaucratic impediments to surveillance should be removed." EPIC warned the Committee that the CIA Director must not "turn the enormous surveillance powers of the agency against the American people." The CIA has a long history of unlawful surveillance. A recent Freedom of Information Act case pursued by an EPIC revealed the CIA spied on staff members of the US Senate. (Jan. 17, 2017)

Senate Intelligence Committee Presses FBI to Reveal Russia InvestigationSenator Richard Burr (R-NC) and Senator Mark Warner (D-VA), the Chairman and Ranking Member of the Senate Intelligence Committee, have announced a bipartisan inquiry into the Russian interference with the 2016 Presidential Election. Democratic members of the House Judiciary Committee have also pressed the FBI to confirm its investigation of President-elect Trump's ties to Russia. In a letter to FBI Director James Comey, Committee Members requested "all documentation relevant to this investigation" be provided to the Committee "as soon as possible." EPIC has filed two urgent Freedom of Information Act requests concerning Russian interference: one for records about the FBI's lax response to the foreign cyber threat, the other for the report "Russian Activities and Intentions in Recent US Elections". This week EPIC also urged the Senate Armed Services Committee to pursue an investigation. (Jan. 16, 2017)

National Academies Releases Report on Government Data, Statistics, and PrivacyThe National Academies of Sciences has released a new report that examines how disparate federal data sources can be used for policy research while protecting privacy. The NAS Statistics and Privacy Report states that privacy must be a "core value" of any use of government data and recommends that federal statistical agencies "adopt modern database, cryptography, privacy-preserving, and privacy-enhancing technologies” and "engage in collaborative research with academia and industry to continuously develop new techniques to address potential breaches of the confidentiality of their data." EPIC President Marc Rotenberg and EPIC Advisory Board member Cynthia Dwork served on the committee that developed the report. Mr. Rotenberg testified before the Commission on Evidence-Based Policymaking, which is working on increasing access to government data for policy analysis. EPIC also filed comments with the Commission urging it to promote Privacy Enhancing Techniques. (Jan. 12, 2017)

Intelligence Director Removes Key Privacy Safeguards for Raw IntelligenceThe Director of National Intelligence has announced new rules that permit intelligence agencies to disseminate "raw" signals intelligence without first removing or "minimizing" personal information. EPIC and other civil liberties groups opposed these changes in a letter last year to the Director, explaining that the changes would "fatally weaken existing restrictions on access to the phone calls, emails, and other data the NSA collects." The Director said that the new rules would "prohibit recipient elements from querying raw [intelligence] for a law enforcement purpose." But EPIC previously highlighted the risks of consolidating personal data in a FOIA lawsuit, EPIC v. ODNI, against the Director of National Intelligence. (Jan. 12, 2017)

FTC Sues D-Link Over Poor Security in Internet Routers and CamerasThe Federal Trade Commission has filed a lawsuit against Internet of Things device maker D-Link. The complaint alleges that D-Link failed to use adequate security in its internet cameras and routers despite promises that the devices were "easy to secure" and used "advanced network security." The poor security practices alleged by the FTC include using easily-guessed default passwords, mishandling code-signing keys, and storing usernames and passwords in plaintext. EPIC has worked extensively on the risks of the Internet of Things, recommending safeguards for connected cars, "smart homes," and "always on" devices. In 2013, EPIC submitted comments to the FTC addressing the security and privacy risks of IoT devices. (Jan. 12, 2017)

EPIC Calls on FCC to Prohibit Forced ArbitrationEPIC and a coalition of privacy advocates have submitted comments asking the FCC to prohibit forced arbitration clauses in communications contracts. Arbitration clauses require consumers to settle complaints in private proceedings out of court, often in inconvenient locations and before arbitrators of the company's choosing. The comments note that forced arbitration clauses allow corporations to "escape accountability for systemic harms" such as overbilling. The FCC's broadband privacy rules, adopted in October 2016, did not address forced arbitration clauses, but Chairman Wheeler announced at the FCC's October meeting that the agency had begun an internal process for rulemaking on that issue. EPIC has urged the FCC to establish comprehensive safeguards for consumer privacy, to ban pay-for-privacy schemes, and to prohibit mandatory arbitration. EPIC has frequently defended FCC privacy rules and currently has a petition pending before the FCC to end the mandatory retention of customer telephone records. (Jan. 12, 2017)

EPIC, Technology Experts Urge Senate Committee to Monitor President’s Homeland Security AdvisorIn a letter to the Senate Committee on Homeland Security, EPIC and leading experts urged Congress to keep a close eye on the White House Homeland Security Advisor. EPIC explained that the position, equal in power to the National Security Advisor, carries "significant implications for the safety and security of the American people." EPIC said that the Homeland Security Advisor should ensure "the Russian government poses no further threats to the United States electoral system or to other democratic governments." EPIC also said that "data protection and privacy should remain a central focus" of U.S. cyber security policy. The EPIC letter was signed by distinguished experts in cyber security, information technology, encryption, and human rights law. (Jan. 10, 2017)

Europe to Update Consumer Privacy RulesThe European Commission has released its proposal to update EU law on privacy and security safeguards for electronic communications. The revamped e-Privacy Regulation would extend important new safeguards to users of all online communications services, including email, instant messaging, and social media. The proposal would also protect both communications content and metadata, and would limit tracking of internet users. In the US, the FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeatedadvice to the FCC to address "the full range of communications privacy issues facing US consumers." The Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation, and must next be adopted by the European Parliament and European Council. (Jan. 10, 2017)

EPIC Seeks Expedited Release of Report on Russian Interference in 2016 ElectionEPIC has submitted an urgent Freedom of Information Act request to the Office of the Director of National Intelligence (ODNI) seeking the complete report on the Russian interference in the 2016 Presidential Election. On January 6, the ODNI released a public summary on the Russian interference, but withheld important information. EPIC is seeking expedited release of the complete, unreacted report. EPIC is also seeking records from the FBI about the agency's lax response to the foreign cyber threat. EPIC submitted a statement to the Senate Armed Services Committee hearing on Russian interference. Congress will hold a second hearing today, and a bill initiating new sanctions against Russia is expected this week. EPIC will continue to press the ODNI for prompt release of the report. (Jan. 10, 2017)

EPIC Urges TSA to Drop REAL ID Data Collection PlanIn comments to the TSA, EPIC urged the agency to abandon a proposed information collection plan under the REAL ID Act. REAL ID is a federal to turn the state driver's license into a national identity statement. Many states have opposed REAL ID. The TSA now plans to subject Americans, without a TSA "compliant" ID, to broad information collection requirements. EPIC, supported by a broad coalition, opposed REAL ID because it compromised privacy and enabled government surveillance. EPIC provided detailed comments to DHS later issued a report. Since adoption of REAL ID, many states have suffered data breaches of DMVs because of criminals seeking REAL ID mandated documents. (Jan. 10, 2017)

Senate to Consider Nomination of Senator Sessions for Attorney General Tomorrow the Senate Judiciary Committee will begin hearings on the nomination of Senator Jeff Sessions for Attorney General. EPIC submitted a statement to the Committee, which stated “Senator Sessions’ record regarding the privacy rights of Americans raises serious questions about his selection as Attorney General.” EPIC pointed to Sessions’ support for warrantless surveillance of the American people and opposition to government oversight. Senator Sessions also opposed Apple in its dispute with the FBI and failed to support efforts to modernize the Electronic Communications Privacy Act. The Lawyers for Good Government also raised concerns about Senator Session’s support for the Privacy Act, the Freedom of Information Act, as well as his independence to “prosecute all criminal acts including those that may implicate the President of the United States.” (Jan. 9, 2017)

Supreme Court Declines to Review Video Privacy Violations by Google, ViacomThe U.S. Supreme Court declined today to review In re Nickelodeon, a class action suit concerning privacy protections for Internet users under the Video Privacy Protection Act. Last year, a federal appeals court rejected claims that Google and Viacom had violated the statute, holding that static IP and MAC addresses are not "personally identifiable information." That opinion contradicted a previous ruling from a different federal appeals court, which held that unique IDs are personally identifiable under the video privacy law. EPIC filed an amicus brief in the Nickelodeon case, explaining that Congress defined personal information broadly "to ensure that the underlying intent of the Act-to safeguard personal information against unlawful disclosure-is preserved as technology evolves." (Jan. 9, 2017)

White House Issues Data Breach Guidance for Federal AgenciesThe White House Office of Management and Budget has released guidance establishing common standards and practices for how federal agencies manage data breaches. The Data Breach Memorandum sets out a risk-based framework for evaluating data breaches and requires each agency to develop a data breach response plan. Not all breaches will trigger individual notification under the guidance. The new guidance comes four months after a House Government and Oversight Committee report criticized the Office of Personnel Management about the 2015 data breaches that compromised the records of 22 million federal employees and family members. EPIC testified in 2009 and 2011 in support of strong data breach notification laws, filed comments with the Office of Personal Management recommending limits on data collection, and has urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information. (Jan. 4, 2017)

Senate Armed Services Committee to Examine Foreign Cyber ThreatsThe Senate Armed Services Committee will hold a hearing on "Foreign Cyber Threats to the United States" on January 5, 2016. EPIC submitted a statement to the Committee to alert Senators about a pending Freedom of Information Act request. The EPIC FOIA request concerns the lax response of the FBI to the Russian interference with the 2016 Presidential election. EPIC wrote “we believe that the information that we are seeking from the FBI will also be helpful to the Senate Armed Services Committee as you investigate foreign cyber threats to the United States.”“Director of National Intelligence James Clapper, National Security Agency and Cyber Command Chief Adm. Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are scheduled to testify. (Jan. 4, 2017)